Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
t6V3uvyaAP.exe

Overview

General Information

Sample name:t6V3uvyaAP.exe
renamed because original name is a hash value
Original sample name:00da40287f0e59b0c96a44a25d0c9a45814f1fbbc9bf7fec9c168d1b7704f5ff.exe
Analysis ID:1452977
MD5:df6444cce911396d8f4f16efe55f1399
SHA1:bb4f916b3e1195fbf2e0a4afffa91eb331bc642a
SHA256:00da40287f0e59b0c96a44a25d0c9a45814f1fbbc9bf7fec9c168d1b7704f5ff
Tags:exeGuLoader
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Mass process execution to delay analysis
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Too many similar processes found
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • t6V3uvyaAP.exe (PID: 1036 cmdline: "C:\Users\user\Desktop\t6V3uvyaAP.exe" MD5: DF6444CCE911396D8F4F16EFE55F1399)
    • dllhost.exe (PID: 6316 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • cmd.exe (PID: 6200 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2020 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1812 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2836 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6840 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6408 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4780 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2728 cmdline: cmd /c set /a "0x75^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2056 cmdline: cmd /c set /a "0x4E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4420 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 972 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2324 cmdline: cmd /c set /a "0x71^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3432 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2528 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6816 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5908 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2884 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1220 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4548 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4364 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3504 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3744 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3260 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1812 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3300 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2360 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6044 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2884 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6820 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5948 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1908 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1668 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 972 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2324 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2448 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5632 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3476 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 948 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6956 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1764 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5320 cmdline: cmd /c set /a "0x56^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6972 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1476 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7004 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2420 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2528 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6816 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5908 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2884 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5588 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4548 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6464 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2736 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2664 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3184 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3432 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5388 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5280 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SIHClient.exe (PID: 3940 cmdline: C:\Windows\System32\sihclient.exe /cv MfnYdPAyJ0Ko6HO8zMAHOA.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
    • cmd.exe (PID: 2356 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6044 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5648 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3640 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5848 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1912 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5076 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2244 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 592 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3804 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1548 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2760 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3640 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1212 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2664 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5224 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2528 cmdline: cmd /c set /a "0x6D^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1924 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1424 cmdline: cmd /c set /a "0x74^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5648 cmdline: cmd /c set /a "0x68^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7052 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3532 cmdline: cmd /c set /a "0x6A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6324 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4884 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4976 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6444 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2448 cmdline: cmd /c set /a "0x70^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 404 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2728 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4364 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1352 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7088 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6324 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2704 cmdline: cmd /c set /a "0x67^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5448 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5204 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5112 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1088 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6956 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5648 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7052 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2548 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3552 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2704 cmdline: cmd /c set /a "0x0B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1812 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6444 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2528 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6820 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2056 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2632 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4368 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7104 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7052 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6324 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5632 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2356 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5948 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5608 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1924 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1668 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1600 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 616 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3532 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6368 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2128 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2664 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6408 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5360 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6976 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3488 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3224 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6820 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3704 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3640 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3136 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6368 cmdline: cmd /c set /a "0x10^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3908 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2832 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6124 cmdline: cmd /c set /a "0x56^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6456 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1548 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4548 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6956 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1488 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2488 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1968 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4884 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3088 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIADAP.exe (PID: 2128 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
    • cmd.exe (PID: 6840 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2864 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1444 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1432 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4800 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 880 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2728 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1488 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2488 cmdline: cmd /c set /a "0x4D^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3640 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5564 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2664 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6620 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6456 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5320 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1424 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3488 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4560 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1908 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 616 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 972 cmdline: cmd /c set /a "0x1F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2420 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5716 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5224 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4044 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6620 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2360 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5112 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4948 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3780 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3224 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3048 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1912 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4632 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3136 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6840 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7140 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 572 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6928 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6064 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5608 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1088 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6684 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3780 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5268 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1600 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1464 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2420 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 5716 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • cmd.exe (PID: 5224 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1444 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6620 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3940 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5112 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 352 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3004 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7124 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4560 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2736 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3704 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6332 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3640 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3088 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2184 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6648 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6772 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3804 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6928 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5896 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5112 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 352 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4548 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3608 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6832 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6820 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3420 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4632 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2020 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6460 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2704 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 948 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2364 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6620 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2584 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 404 cmdline: cmd /c set /a "0x65^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3800 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6520 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3924 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6952 cmdline: cmd /c set /a "0x71^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2644 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1540 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3532 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 616 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1968 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3404 cmdline: cmd /c set /a "0x76^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6124 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6316 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7080 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3184 cmdline: cmd /c set /a "0x67^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3804 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3504 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5912 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 612 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1828 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6268 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6908 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4208 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2940 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4900 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2620 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3224 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3608 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3204 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1020 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7104 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4256 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3604 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7160 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3420 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1464 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1280 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2304 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3352 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7052 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2420 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.2203633579.000000000054A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000000.00000002.4567222236.000000000054A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000000.00000002.4568602260.00000000055C3000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: t6V3uvyaAP.exe PID: 1036JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

          Sigma Signatures

          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\t6V3uvyaAP.exe", ParentImage: C:\Users\user\Desktop\t6V3uvyaAP.exe, ParentProcessId: 1036, ParentProcessName: t6V3uvyaAP.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5716, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\t6V3uvyaAP.exe", ParentImage: C:\Users\user\Desktop\t6V3uvyaAP.exe, ParentProcessId: 1036, ParentProcessName: t6V3uvyaAP.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5716, ProcessName: svchost.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: t6V3uvyaAP.exeVirustotal: Detection: 24%Perma Link
          Source: t6V3uvyaAP.exeReversingLabs: Detection: 50%
          Source: t6V3uvyaAP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: t6V3uvyaAP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
          Source: global trafficTCP traffic: 192.168.2.6:55439 -> 162.159.36.2:53
          Source: unknownDNS traffic detected: query: 56.126.166.20.in-addr.arpa replaycode: Name error (3)
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
          Source: t6V3uvyaAP.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052BD
          Source: conhost.exeProcess created: 252
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile created: C:\Windows\resources\0809Jump to behavior
          Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPD5D.tmp
          Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPB458.tmp
          Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP2E7A.tmp
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\0009\
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\PerfStringBackup.TMP
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_004066E30_2_004066E3
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00404AFA0_2_00404AFA
          Source: t6V3uvyaAP.exe, 00000000.00000000.2105213591.0000000000453000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameimplementeredes smelters.exeDVarFileInfo$ vs t6V3uvyaAP.exe
          Source: t6V3uvyaAP.exeBinary or memory string: OriginalFilenameimplementeredes smelters.exeDVarFileInfo$ vs t6V3uvyaAP.exe
          Source: t6V3uvyaAP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal76.troj.evad.winEXE@617/36@1/0
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040457E
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile created: C:\Users\user\AppData\Local\outsplendourJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3260:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2644:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3908:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2704:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3928:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3476:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
          Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3420:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
          Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4156:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1912:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5412:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1924:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
          Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3048:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1756:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4060:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1828:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1668:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3532:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5204:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3432:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
          Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3404:120:WilError_03
          Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2244:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2572:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile created: C:\Users\user\AppData\Local\Temp\nsbC539.tmpJump to behavior
          Source: t6V3uvyaAP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: t6V3uvyaAP.exeVirustotal: Detection: 24%
          Source: t6V3uvyaAP.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile read: C:\Users\user\Desktop\t6V3uvyaAP.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\t6V3uvyaAP.exe "C:\Users\user\Desktop\t6V3uvyaAP.exe"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv MfnYdPAyJ0Ko6HO8zMAHOA.0.2
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dllJump to behavior
          Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
          Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: t6V3uvyaAP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000000.00000002.4568602260.00000000055C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.2203633579.000000000054A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.4567222236.000000000054A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: t6V3uvyaAP.exe PID: 1036, type: MEMORYSTR
          Obfuscated command line found
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile created: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeFile created: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dllJump to dropped file
          Source: C:\Windows\System32\wbem\WMIADAP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
          Source: C:\Windows\System32\wbem\WMIADAP.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Mass process execution to delay analysis
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeRDTSC instruction interceptor: First address: 5C80386 second address: 5C80386 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 mov ecx, 000000D4h 0x00000008 cmp ecx, 0E855327h 0x0000000e jg 00007F0E40BFF1AFh 0x00000014 pop ecx 0x00000015 cmp ebx, ecx 0x00000017 jc 00007F0E40BDB545h 0x00000019 inc ebp 0x0000001a inc ebx 0x0000001b cmp ch, dh 0x0000001d rdtsc
          Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1999
          Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1526
          Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1462
          Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1422
          Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1489
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dllJump to dropped file
          Source: C:\Windows\System32\SIHClient.exe TID: 3928Thread sleep time: -150000s >= -30000s
          Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6248Thread sleep count: 1999 > 30
          Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6248Thread sleep count: 1526 > 30
          Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6248Thread sleep count: 1462 > 30
          Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6248Thread sleep count: 1422 > 30
          Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6248Thread sleep count: 1489 > 30
          Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
          Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
          Source: SIHClient.exe, 00000078.00000002.2494282403.0000019A749E5000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2290096586.0000019A749E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPI
          Source: SIHClient.exe, 00000078.00000003.2289775078.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2427475293.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000002.2494735933.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2477149272.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2443666570.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2489153309.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2475338277.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2453358966.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000078.00000003.2491026775.0000019A74A3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeAPI call chain: ExitProcess graph end nodegraph_0-4449
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeAPI call chain: ExitProcess graph end nodegraph_0-4454
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv MfnYdPAyJ0Ko6HO8zMAHOA.0.2Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\t6V3uvyaAP.exeCode function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406041

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		OS Credential Dumping3
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		1
          Windows Service          		1
          Access Token Manipulation          		1
          Obfuscated Files or Information          		LSASS Memory123
          System Information Discovery          		Remote Desktop Protocol1
          Clipboard Data          		1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Command and Scripting Interpreter          		Logon Script (Windows)1
          Windows Service          		1
          DLL Side-Loading          		Security Account Manager111
          Security Software Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
          Process Injection          		1
          File Deletion          		NTDS2
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Masquerading          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Modify Registry          		Cached Domain Credentials1
          Time Based Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Time Based Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1452977 Sample: t6V3uvyaAP.exe Startdate: 06/06/2024 Architecture: WINDOWS Score: 76 38 56.126.166.20.in-addr.arpa 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected GuLoader 2->42 8 t6V3uvyaAP.exe 2 106 2->8         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 44 Obfuscated command line found 8->44 46 Mass process execution to delay analysis 8->46 48 Tries to detect virtualization through RDTSC time measurements 8->48 12 cmd.exe 1 8->12         started        14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        18 273 other processes 8->18 signatures6 process7 process8 20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 266 other processes 18->32

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          t6V3uvyaAP.exe24%VirustotalBrowse
          t6V3uvyaAP.exe50%ReversingLabsWin32.Trojan.Guloader

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll0%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\nsExec.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\nsExec.dll0%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          56.126.166.20.in-addr.arpa3%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
          http://nsis.sf.net/NSIS_ErrorError0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          56.126.166.20.in-addr.arpa
          		unknown
          		unknownfalseunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorErrort6V3uvyaAP.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1452977
          Start date and time:2024-06-06 13:37:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 12m 47s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:551
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:t6V3uvyaAP.exe
          renamed because original name is a hash value
          Original Sample Name:00da40287f0e59b0c96a44a25d0c9a45814f1fbbc9bf7fec9c168d1b7704f5ff.exe
          Detection:MAL
          Classification:mal76.troj.evad.winEXE@617/36@1/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 57
          • Number of non-executed functions: 28
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Excluded IPs from analysis (whitelisted): 52.165.165.26, 13.85.23.206, 20.3.187.198, 20.166.126.56, 13.85.23.86
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.
          • Report size getting too big, too many NtWriteVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          07:37:58API Interceptor1x Sleep call for process: dllhost.exe modified
          07:38:16API Interceptor5x Sleep call for process: SIHClient.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dllZ4f1Tbtgas.exeGet hashmaliciousGuLoaderBrowse
            Z4f1Tbtgas.exeGet hashmaliciousGuLoaderBrowse
              Unspuriousness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                Unspuriousness.exeGet hashmaliciousGuLoaderBrowse
                  400 EUR.exeGet hashmaliciousGuLoader, RemcosBrowse
                    400 EUR.exeGet hashmaliciousGuLoaderBrowse
                      pagamento240529.bat.exeGet hashmaliciousGuLoaderBrowse
                        pagamento240529.bat.exeGet hashmaliciousGuLoaderBrowse
                          ordinazione d acquisto 00299344.bat.exeGet hashmaliciousGuLoaderBrowse
                            ordinazione d acquisto 00299344.bat.exeGet hashmaliciousGuLoaderBrowse
                              C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\nsExec.dllUnspuriousness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                Unspuriousness.exeGet hashmaliciousGuLoaderBrowse
                                  Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeGet hashmaliciousGuLoaderBrowse
                                      SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousGuLoaderBrowse
                                          SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousGuLoaderBrowse
                                                SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousGuLoaderBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11776
                                                  Entropy (8bit):5.655335921632966
                                                  Encrypted:false
                                                  SSDEEP:192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
                                                  MD5:EE260C45E97B62A5E42F17460D406068
                                                  SHA1:DF35F6300A03C4D3D3BD69752574426296B78695
                                                  SHA-256:E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
                                                  SHA-512:A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Joe Sandbox View:
                                                  • Filename: Z4f1Tbtgas.exe, Detection: malicious, Browse
                                                  • Filename: Z4f1Tbtgas.exe, Detection: malicious, Browse
                                                  • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                                  • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                                  • Filename: 400 EUR.exe, Detection: malicious, Browse
                                                  • Filename: 400 EUR.exe, Detection: malicious, Browse
                                                  • Filename: pagamento240529.bat.exe, Detection: malicious, Browse
                                                  • Filename: pagamento240529.bat.exe, Detection: malicious, Browse
                                                  • Filename: ordinazione d acquisto 00299344.bat.exe, Detection: malicious, Browse
                                                  • Filename: ordinazione d acquisto 00299344.bat.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\nsExec.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):6656
                                                  Entropy (8bit):5.139253382998066
                                                  Encrypted:false
                                                  SSDEEP:96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
                                                  MD5:1B0E41F60564CCCCCD71347D01A7C397
                                                  SHA1:B1BDDD97765E9C249BA239E9C95AB32368098E02
                                                  SHA-256:13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
                                                  SHA-512:B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                  Joe Sandbox View:
                                                  • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                                  • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                                  • Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
                                                  • Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Brandmands51.has

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):10972
                                                  Entropy (8bit):4.892382175452858
                                                  Encrypted:false
                                                  SSDEEP:192:XyK9IqhE+2QhmCRCB25juJbLHtRkBJSi0u3m7nolq:X7Xh40mCwB2u3sii0u0olq
                                                  MD5:E0793D711445D7E23F4BF69AD2A0A681
                                                  SHA1:625855A515D5D0EBCED8427DFD458610E4246992
                                                  SHA-256:340C748D418A36BC4A555D2B06092FB41FB725B039A364C97C1EABD7EF50AE43
                                                  SHA-512:2408AB5E5E1EE1A4D0F0A24FC97FB9073C329FADB0DA45A492DA11F9C82B52040C2AF7353DB43F435E324D5FD18DD05F77F743D3CC8720C098A97DF5EDBA16CD
                                                  Malicious:false
                                                  Preview:..........1......5.....Y.9..L......P...t.=...i...J....S......5.......^..........................(............................v.....s .......h............&..O........................\...S........q`!.................!...+....(...f.....M.....7...............*....E....C.N.....{..u...].h?...............j..............7..2!........36b..............ep.........?.....5...................r.~.............'h..g..........,.....{.....r.q.-...........ZH.0.o..................B.......'..}m.Q.f...C....My.y...M......j..................j....2...z].^}......u$...x....7....#{..........M0].n..x......=J..A...Ql..g..B......c.A............[.;...T.........jO1......S...........Z.7.2..o.G.........,..&...................................g...........&..-.N..........Y...y...Y.....Y..............k"............._..P.B.....2.<.$...%.....XB........o.........#........................,.....$I......An.........]...Fz..@..6O=C0.....Z..........dq.z....s..'.....0.........+...%....._....}...........M.0...........t..2.

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Bster.Afg

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):174992
                                                  Entropy (8bit):7.704678371878765
                                                  Encrypted:false
                                                  SSDEEP:3072:ptiT9mwSM0CPqKy6ramHMh19vnlgV+JUP3aEEno1d2a5RJdg6YMG:Op5X0CyO2M0rlgQ+3aEEo1d2a5x/G
                                                  MD5:460FAD6A366F4029E0E0306693D677CF
                                                  SHA1:6166BBF1F6290ABAABE11AB41B780720BB8F5E3E
                                                  SHA-256:A06F9A8215A8988B5192B02E4DC514612A685ACE28B4D5E935CDE8B5328468DE
                                                  SHA-512:C6FB48F7BF689DBE68479F7A69C352A28223715AED6A83F31D02246699E40751B616EB69AF932AD65D3A5F6FCD0EA6C8592362900F1000159EF084DBDDF4FA83
                                                  Malicious:false
                                                  Preview:]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\Anoestrum.Pse

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:ASCII text, with very long lines (65272), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):65272
                                                  Entropy (8bit):2.6622501989355185
                                                  Encrypted:false
                                                  SSDEEP:768:3luW9cLb2pOZjH0qOukmzHdhE08cX1fcBGW8IIkEEEEEEoBX96+YxMkeb+BLSVPR:3bj2lqG+IX9q26IXypyy0OTYMEVFcI
                                                  MD5:0B8F5E03CD60DAB9E53004BAAC6DDE06
                                                  SHA1:B1EE4261AF7DAB7E382A48D59EC2326775C5A24A
                                                  SHA-256:319614DA635F9A188A41F663840BD10EA156BA09ABB623D4ABC70C4B720A97AF
                                                  SHA-512:2F9D79B2D3FB7DF4A3850273AE8B1372B4C2FD6F0E26A1B13F677C21DD3F391A00F9838313349A5DC2E1FF4B967E2E6A321EA5AFD1D33BA4E6F9F0B322680A5E
                                                  Malicious:false
                                                  Preview:0000006F6F009C000000004E000000002A001C0039000058000000D7D70000DA0000002A2A2A000000000000000000080808080800E7E700002A2A0000007171000000EF0050500000CE0000CACA003C00A500C6C6C6002300004B4B4B4B4B4B0000002B0083838300000000FBFB0000E3E30042000054540000004C4C003B00B0B000007C7C00929200008181810000D9000000006767676700ABAB00D60022002E00160000424242000034000089890088000000003E3E00A0A0007100AFAFAF00002C00F5F500000016160000005A5A000000004D00E1002F2F0000000000E5007900FFFFFFFF00E9E9E900DE00001E1E1E00C80000D4D4D400BFBF000000BA0000006A000000A10000C9003636360000D700009595000000000000007171004A00DCDC0000006464646464646400009C9C9C00CECE0000494900EB005C0000282800FF000000C6C6C600770027003F004D4D00F8000040400000000000610000007A000082000000B9B90000000056560000F2F20014141400E20000004300F2F200000000E8E800001C0000DC000000002A0000007D7D7D00575700003900000098989898005F00009500DF0000000000003737370024240000950064003800F1002D0000000000BA004900DA00000000D900000047474747474747007B7B7B002000002020202020000000E30015003E00

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\Byggeforeningerne.for

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1593
                                                  Entropy (8bit):4.7827969913861095
                                                  Encrypted:false
                                                  SSDEEP:24:b2AXtJt6jnNT9OlGUJoRugPF9acO2QqA3hmRk1KnR+sjI0RAW9RqOw5FMHGcacn:iAXDt6DNxOA9RFPzlgqiQn5kW9hwHh+
                                                  MD5:1A4CA94F39ADCBD05E127607CC9993A0
                                                  SHA1:1C6249E76B3DD5315B2A3DFBBC1E02DFBF754E47
                                                  SHA-256:FC840AA82122EB9EEC1D032D25104F8C9BFBFE1671BF6A268841A53967312041
                                                  SHA-512:21FF66988075EFD4F15EF001BED597CBB37791721F55CEA55140ECB9B95F51E64D6A248D8E5677595EA1AF1B62A0EAD54584264D5211798F4141A43CEE1525E9
                                                  Malicious:false
                                                  Preview:.u..u.........o+.o.rQ.......zJ$Y..5....T..1.h.....9F.....#...^...2....N............C.t..(.r.8............X.I.{..Z.........O..i...&.a...,..................6~....el....h...........F...`.....`.....................K.................O..............w)..~................./....a.r......m....U[.h....................'........D........M..b..........R.......................:.....X.......-.8.:...@...@.....;P..B....x.x...........P.....}.Rs]......5[...................nn.|..C...g...........9........Vb....G........%../...j........9.......H..EX......s.J........'..........................8..........+f.3...?........."....Y...#...%......\........5.....\.k.............,.,.......w&.y.C...:U......7w.....A...U.FO........m.............K......*O...............T...........:... ...)X........]..x......f..@.z.......*....`...;..F.,^=8........J...........8.........!...z...D...Q.....U.f..........'............p.........3.................v.]q....e."g....\.........^O...)......................~_....E..t........

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\aka.uom

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):9832
                                                  Entropy (8bit):4.90925380839641
                                                  Encrypted:false
                                                  SSDEEP:192:HnR06jz+VjB9QBI/H2YcXvdQfYF+KK1ZC5AzRwjDKrb2z5AH:HnRyV99cIvelFPKKAzRD
                                                  MD5:12B0BCE3AE0573AE1276CD87F0709898
                                                  SHA1:57CDCEB9E98CB606D25371FCB8A4903C556D7733
                                                  SHA-256:279A405D723F09D5453D71C6C76F1C3A3B792EDB9D1D1EC3D82D66A60A63CD40
                                                  SHA-512:1493904679F5E9E0708AA38F884EAFC8799EDD53FB0BDF53578F25CE50AD387BEA89E113C1918D8455FEF552F7740AC9EAB8ABDA422EC69EAEC0FB412EEE2F5D
                                                  Malicious:false
                                                  Preview:..j.....R.............Z.;.....6............l...............W.............$o.c.......V....Z.....$.........tc.................................i.... ..L?JQ...e...k.....G..UZ2...........I........G...k.........g..................Nq...Wb.....@....Y.......<...........j....D.\.....p.B..j......$.m.o.)..........w..........^..m..'....6............S..........A........GF...y..$...5F.E...?Du.........G...U......o...........#............C....4?......l...k.j.......l...../......(..8...#.................G......2.....vx......$......................b-..#...'..... ..d!..j.2....`z.g.H.H........5..../L.......q.............8..........$`1..6...~g.....\...F.....p.........Z.S.<C ..9..~.0.w........=....%.N....h.....`....Q.+......Y..........NP..."................r.&.......W.....h......B..........3...>.T.`.......................'.......:..f..S....=p.s.=Z...d..kx.....x\..1V...S.A.....`..n:.....G....=....LRv.........8.....W..#J..........r........n.1...|.`.........................F..H...c..../..6.............

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\corozos.pro

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12014
                                                  Entropy (8bit):4.886352020865119
                                                  Encrypted:false
                                                  SSDEEP:192:jTmZZAK4ucJLU4AN9o4R2Ax0cWcqfNPxXa/brhXgzKkhyOFy5KTp/1Lfqofi:jCZm7NRU4g5CzcqfNtU2NhyOIKp/1zqn
                                                  MD5:418734ED4634DE7787643A60EA1C8F10
                                                  SHA1:AC64409F656F7110C7FCF1987C92DAE67DA5189B
                                                  SHA-256:C5021D2B81E9352A27CD57CB3F1C94644CCD5E942A94D42F7533980393653B08
                                                  SHA-512:F320C0BEA3835DE1E91C77135EA8B218617D929661D1A666C45DB5A6DF371A439A2E23C6FD16671FB99495BE250B2ACA64B0749A20D831EB2350B680300A5022
                                                  Malicious:false
                                                  Preview:!.....O#.v...............*.."+...........m...."....5T.i..9.....4..8...T.j./`6...b.....<......_...\......C.......-X.]..._...=.&..-[.......3.......t...g..........^.O.)-....w..E.".n...../......!.sc.....u......5.....j...t.-.....N......N...m.b............j................*.n....K.....7.'.3.....K....$....M.`...e.{........v.....d.dE.Sk...+.w......]2.........`....M.....u.M_...y.........H..#0......i.........].......,......S...n.....|P.6.;..............g.`...E.....$.I.................J...2......~nG.....a9.&.....,...........-....U9...1...l........L.._R.e.......AL...v.......}.......?Z..O...X.........LR.................X7....'...............I.Y_....K...............,.r...........+.._..~|...T....S...z..g...Io.M.Hp5...6Q.....9........ .....7..q..............m.n....]......67....of...........,...........o......]..7..x..K.....l............8.@.......o...c.>....L..........G......y......H..3.I....l.........Y....V........p.!......&..x,...............p..1.....{W.<......@../....z.................5.

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\dysens.for

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):10093
                                                  Entropy (8bit):4.921304550843908
                                                  Encrypted:false
                                                  SSDEEP:192:DZ8rRF5ahaphjNo0D8isfxagfOzUZt5Dn6OnNeTQMpIXDiqFTJ6dd3UwJzB0KW:98FB20+tO0tnhn3MpITiqju/J2P
                                                  MD5:9060008E461A11F15F9BDEE09706F2AC
                                                  SHA1:F32FBA221B0465E653089E1102D909641DB4592C
                                                  SHA-256:9A120EBD44CB869A97371818103EC064399E6CBE04089D0C8711FCEF98F1E2ED
                                                  SHA-512:23E81C7955822F2D4D86E59D4DB76171FFBB8C17CAA722C2A080304BA6F2AEF61F5CE6C221F8828D3E7C231C8C83E34529BE9338321EF4F151DC980CA1E9A85D
                                                  Malicious:false
                                                  Preview:..p....... C.3.....M..q..3d...M.5.J.!...F.9Z...q...Qx.La..XJ..../..........@.........O.N...i<_..@...........N|w.1...lc...o....kfn.f..O.......ov......5.c...$>.q........!.....&!{........D.=....C......>~....U....{...........Z.I.$....N....?.....E........1....f........?...s........S............M...........<.................d..........%............~....o...........+]^.............2.....].!...F................W89.7..........^.....*.....t.8NF......@..Wke..........g............m.................=......9........A..........w........|..........X......F.....,.......>....t./......?...'......ZJZ..-6...&=........................&...... \...............P.....YW..K?O.......A.t...................t.....!.......#...$O...B.......1.............\.......v....................xl../..l.....b..9D}..p\k.H\......................r.'..z.....H........A........)........2.....Q...........?...Z...b...................<.....y......n%..&......4.D..&=...............q..~..............L...l...].!............Y.......

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\eugenics.sem

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):11275
                                                  Entropy (8bit):4.942431684383429
                                                  Encrypted:false
                                                  SSDEEP:192:nAuaTg5xjp2K6DSBOn3yP1Ar91Jn+7FKVojZvcNMJQlutl/pK:nAFwL6De03yPm9pVo9vcNMJQlO/pK
                                                  MD5:58085E9D57CBB196894651B435A4FCEA
                                                  SHA1:A47092853C0A3AAE0B9423B2003FF7B0F8957A70
                                                  SHA-256:94CE73AFED0065F579AD1AC5D19EF243E1B77446FFE24751FED28317F1578B8A
                                                  SHA-512:C3DE1FCD063334E75A05996BCCE2BABB7D6634BD12719D25F29D085AE313A9473DEEC3D52319ABAB79F29CDD4B1664139FC7B2F5E99A9342845542EACACD39AF
                                                  Malicious:false
                                                  Preview:......>...2..Z.......\.....~{.......2......~.....9..h...d..O.............kS..2..$...II.I.......................*pG...............^eC.......C............6.......]......L.F....4...[.............`TY.I....)...Q{...'...t..M........u.'..1_......J.............s..]..P.............w........d.....7......{.........Nsc.....4....j..............)..............:...G.................L........g.......).8.....@....I...%....;...#7.#.G.Yk..........9.....}....R.................d+ZN...[.........S..........X........(...w...\.U.........a....za....~.......;.......O...........m................+..*......)..M,.....|n4....'h..........S.a..Qu...&....n.......,..3..0.#.@..p...'H....L.....q.....VXp.........../E........&.)......_...........J._.OJ....7........>.........m...E...............o..l3....t..../.QU.............l......`.{b......d.C...........n....R.qs.....~...0]..1*........*..........k....".`..t.%...... ......#..q7...lY...........f..XW..........6.....|.......v.]......R....._.(..>........d.v...........

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\naturbeskyttelsen.god

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2277
                                                  Entropy (8bit):4.8720546744219755
                                                  Encrypted:false
                                                  SSDEEP:48:PCdrJOcv/Q/KFpuMOFkNvf2afRsRX6FpAa4dr67fx3:K9vI6TWQRAKzAa1rx3
                                                  MD5:A6ECDF28D8D760E514B38D9B6F0C0484
                                                  SHA1:3A5E930136BD8AF3355C0E0ABCA117C75EE08C38
                                                  SHA-256:30B4447E0B81B9FD6F712A9F8530E1097C0A597BFCDC45C6A24960F31DF0BD01
                                                  SHA-512:82E0B63671BC1E0A810B8EDFF5B05F68C9A0EB49E845434CAA2E4B7848CF86D48123F09E8A7F2524D6B626428EDCB810B2ABE4390E829D6D1160819F7E4884F2
                                                  Malicious:false
                                                  Preview:.......!...(...}..x.m.....<.....'...Y..........[..&.j...c...........].*..%........S.."..- .......:..4....D...E.....U-........".......oC.9....k.......2/...z...#................0.......7..F..O.v!.......%........\..........k........b..1)..........y....Y.>..#.................\...........nN.....f..........Q.........h{.m..v..D.X.]Q.........'..^.........#...]I..............3................V.<.Z2q.#...s.........s.b............Z.......h....@...6.....T..=.............J.z.F..r......x..._..................5..}.m...L.h........@h....G.......L.........x6.......[..........2...L....r<.>.w.1.w........y.......}1e..........|.d......)......e................@...6................J........M..m..pJ..^..m.4..............?....#)................k.......:....F..r..} ciy...E..h..E...........G.......W....{............c.@3..?....................(m..........x......J....8...............F.e7...U.........".....#.j.........]....L........Bas.........{.S.W.2[.............=........Y....1...........O..~......n..y...

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\opkrvningsgebyrer.met

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):10093
                                                  Entropy (8bit):4.908874815539876
                                                  Encrypted:false
                                                  SSDEEP:192:XvFnwZwrcwIJJ8kQsSNTeW/dM/88oKT2RqNLkeU8QoHt:X8wIJNQ76SaxKRcQWQat
                                                  MD5:69E5D2DAB77C9AC0FAD016A8CC132888
                                                  SHA1:B80B8984AB6A92C42A6DAD69504E9AF4D6432334
                                                  SHA-256:E0592100712DB5131F94AE72FCF2D4808023558293DBD6ACEB909E0A713A922E
                                                  SHA-512:3EF2CD6257FB623737F5B19CFE0F801A0B03431FAF6909D709498B488EF795E072BB4613DBDDDB2E58BCB12D64F1695A676685AB8AE2BCADC0D621432EAD705A
                                                  Malicious:false
                                                  Preview:...\.. E..T.%............H.,.....-........'...........<.......c.....lIQ.....;...<.._.......................<...F.......2...........>......L[....(..................4...........Y.-.....?.9/..b............zj..5..&.....c.........M..h........,0..[.E......(.p......p......c......^.....;.0....E.n...S!...b..........u<.J../.......xv.....9#................~j...%.......S<..R......=[.C....~.........7.q..z..Y.......7....H...cp.....v......F...(...Jl...........eO..(."..........$.......z...E..3.................].........#....i.....v........c.Y....T.`........f..o.@....S...'..M...........V..6.......k............T.Y...5............r.....|Q....-...*...............k.....}...P.h.GTK..=.L....S.......5........M6...............T....A...{.....n..a)....V>..................S......0.......B..0.........HN.............9NU...z..................4..XV..I1.?........[f...P.9..w.......W,..a.Z..=.....<S.....M4..e.....u.........[..........+.|........J..........J..9...B...a....D...X..........tV.[...G....'..Q..5.P...

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\refinished.oro

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8927
                                                  Entropy (8bit):4.947192103826229
                                                  Encrypted:false
                                                  SSDEEP:192:TOCOnoHxdeGzvacRYUOmmHRZCzUIRPWskihdFgPXdbX:TuoRdeialUPWRI425SPJX
                                                  MD5:3FF2675B3FE540E5406AE3A47F8E7E1C
                                                  SHA1:8C94B6634DCF0CBFE15BD423511EB4B990CD07F3
                                                  SHA-256:1BAB29AEB79F9447EF609C1A6152D6E052017A910A8E898970403096B8BED5B6
                                                  SHA-512:0F91AF92E9FA06FFDC0149441F89ABD9E61CF78821437694B85A6986A4AE6A29ED701C5BB0F3E3D05F893B88BA2915EE40715C0A69B27D4E24DAAD26AFE4B1E7
                                                  Malicious:false
                                                  Preview:.:........4.K........NM[.......+......B......Q.[....;@..{.../.....jR........i...^Y.j.............>...P..Gm...?................T./...........Pl..'..:....b......Y...)....|....g.....$...........................R.....5.....6.... .............S...........................3.A.?.\.....F..........6..>........C..*....A...V..............m.....%W..?4...........s.....".....^...A.r...P...........N.8E..9.w.....+......Q........P.&..4.2..$......_!..........................oz.m.......n..U..1q......K......xV.?..."..C....d..A..I.........M..................E..........'.....u......+.............=........x_.......4....m.W...8.................._.....^I./G..........=..............=..........cF...... .. ...E'.6.Wvr...n...'9.....$.......7 {......F............._..P...M.....;..U.X..-.~.~..X(....-........D.......t......sG.....x\..........#.........'...lM.X...........a.t......]..*...8.+..U.G..v.....&.<|......_U...C.#....D...+.P..T....0...........+7...a........c...>...5..........#.R...........,<...\.

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\regrator.exo

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):14817
                                                  Entropy (8bit):4.973842232000673
                                                  Encrypted:false
                                                  SSDEEP:384:ExQvLKa9w7TFCEY57YoEFCHmn/OCsQ5kSAnu:YQvLKa+TXYNbE6mnGQ0u
                                                  MD5:9857B50710B21F13491FBD4B49CFE2A8
                                                  SHA1:928C4B03C509E2743799D1499C4CC6FB5A272B68
                                                  SHA-256:903B8858C451A31A068EAD95B9D476879D980B54928DF9BA9191FCF342755188
                                                  SHA-512:61F75DA65396525670B3B9A59A26BC9D3D9A0F803F0AC6EFBCF0B6A4AE78F60774DEA6F249021A56E3DAA5DF86EED79DE49F108B781100737078A07E240FA734
                                                  Malicious:false
                                                  Preview:............1'...B......ad.........o.?T....l..........k.>..]_.(............b...B.......Bg....Y$.H.(.....X.o..U...........F........2...f....(....In...r.........."....@..*5*._.............&..D..m.r....T.R...........~../.y....O./.............U...2.....-...t......q.........w.@..#.L.$|.T......bN..8.....].)..................fo(v...........}................#....J..........=...]....W......K...O..W[.................R..X..........;k.0K.3..."m....I....a...6............"......k.A....."....O...X.M.....A.3.o.A....Z.E.............5..w.......a........................wl...'....].....b...<,....Jp..g.........K.....{K.........|...#...4..p.........t].....b...S....;.?...........8.......c.-.........f.......p........\.q.,`...........*....N;A...'..$........[.........R......P....q....................<.G.]zE......*...............s.......F..........>...~.......mN./.....W......Eip...^c....1...h....I..?..%k..............tL....m...x;.>....#.yw...H................\......H....3.a....J..........C..R.....

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\sammenstyrtningen.tha

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):3610
                                                  Entropy (8bit):4.851625868360139
                                                  Encrypted:false
                                                  SSDEEP:96:MJ3g/KzKjiuJ2pK2b0+2b/7tLbzt7OU6ueeb9eh:igCzqDJGlKzt/zoueuoh
                                                  MD5:09A6BDBFA480990E803035FE0F160769
                                                  SHA1:9B93F41DC69F063F418B04D2479E2A21A42C282B
                                                  SHA-256:BA70E2856F8F8BA456C19A72D3AE9F8D85B02681C323315AD126836D1E3EDBBB
                                                  SHA-512:E349E82A2EF40929EFF522A1C29B5AAF99F3857CE4858B68C9FD700BE657079042EAB84310536DD56A6455DB9005F1B04A9373B8A2EC13E7741961C38E5733C7
                                                  Malicious:false
                                                  Preview:.........~...s.O.t.......s......=0....?>F..v..w......Z.&.C...............x..."!....X........'.&....p............n....&..2..3..............=..P.......y...............................8..`....P.............'.......W.........D..[n..e....U....X.<....u..j.X..0*?e..........n....g>.S/....'.........!_3 ...........R....../m...Z..;............2....x.N.........nrm..*.}......+..7...L...........[......,...I........... ....M4.......m)d.......Q....0.H. ...2..f.........5.u..C..P.2-.+@)..].............wp...X......H....S.M$.wo.........s...R.0.iG.........O..............1....................7#.........R.8.....J.~.....j.......r............U..F5..`.......W...........l.W..........?.......#......M.s....P1...=........5.8.[....E...}..V.=......................f...}........................g.................l..|.....`...............,..^3........-....!c....y.....\.&1g................................:.........).......{.d.....]....3l..............?........<.....'........Z.....J.....F...^y.O........4.

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Forurenedes\Kundenske\styknumre.por

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):6952
                                                  Entropy (8bit):4.884923989192729
                                                  Encrypted:false
                                                  SSDEEP:192:WLwMpWNgncchv7F5XymzLsRRTdCVfPnhw:+zpaP2vfXyEsbdCdPn2
                                                  MD5:8C001DE6006342839D659DD9F4CEED6C
                                                  SHA1:9CA07429FE6EB3361B410259342E1AFF3760662B
                                                  SHA-256:C38D73BF73394459CEFB655A178D65C4EFC982AACC568151B58C53A9428A4CE8
                                                  SHA-512:AB14D2372A08B0B3D8AEFD8DD3679CF51DA00563741B1B3D5480FEE7A84AA072F5BB9547717AEB41B3A1ACE550A93E934177E7394D1782505A86CB5D9C5979D6
                                                  Malicious:false
                                                  Preview:..1...........<.5....Er...k.......n..../........ ............).....K..`.Z.....s..q.Y......../..v../....u,..#&...<.....1........2..>.Z..1..(g..I......-?.;........q......:.;.....W5.c._......8F......0..#.D.......1..\..==..................6.........L............f..........9..h..........:.N....N....................#.....uJ...]....j.....Z.-..R... ..!...........b..>......f...V............:v..?.?^........M...G.]...x.....w...p.Y....................."...z...=......:i...T...l...v....................../.....N....{|.}.....\.s...........1...V..x....V!O...T....X...Am................d........b..._..........................................[5.......b.v...........}.......e......K...u.$.C.....l..........-.u...M..K..p.....)........Z...M....wR..Q..8.:."....A....&p..c.............=........h..............`....w.....F.(..........&.....g.......Z..f;....Z..d......Y...k......... .......=......#......[.....s..e..........0..........Y..g*..........0..x.....u...I.....&..]..h...@...]...........5P.....^i.......

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Kollegier\suspend.unh

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8188
                                                  Entropy (8bit):4.984630631981175
                                                  Encrypted:false
                                                  SSDEEP:96:RDq3NihxmhrRyHl7kw6ONznzGdpc+oViKcXddk0UWHLXw1WWUuWl8yVaPz3g:R2cmCFUONTzGLoVUX3L3H77ta3g
                                                  MD5:78AEF8A8B0425EA50D018A0A0A00407F
                                                  SHA1:75CBF326AAF381449343AB34E7B9B6D151BF6632
                                                  SHA-256:6C85C6EAA06602968F61999D902B8434AF8353F64F50329C1E8A4100E6734384
                                                  SHA-512:34C2399709870EF0406299D5EFC51A3A6E222A763FC9DF0E794A6C1F5D79F0834D862D8B14BEAB52C8ADEA26A5029DA2D5533F8C673E769BB3C760630FF4F3C4
                                                  Malicious:false
                                                  Preview:;.0.....N.....g....w...P......B0......}I..$c.}.......#...m......Z..........Q.....j........8..1..?.U..v...........D......zm............`..... .....C._............u..7............ef_...`v).........~..!.......l..j~Z..q.6.......:...............B.x"|..R. .....%...1....c..|4.......4.......q7...9T....r..$..H..{.......7.O..........8....;....s.X....+.....r..Q..t........5....d.v........a...=....P9S.........l..y'....&..................%...*..7.*...Q.....G...P.x..H............+...........a.......^....j.8.......m....T.8.8.....Y.......+I.H.....e...........>.......`...........c.r..%........b.............i..........o...N./.w..........(.......[.......M.."..`........w..Y........PL.......L......................S........._...|.i.?i~.M................^.4........+.'.......................)..j..............)....}.........."..k..........D......L.D......................w..s.........z%..0........;.........N..............O..w....!^.d..$.........%.......R....y.......z.......E.........g..Ad.......1.....

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Kollegier\udlaansrenten.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):407
                                                  Entropy (8bit):4.186911394455087
                                                  Encrypted:false
                                                  SSDEEP:6:CHreC6uMP8pWM9LgtpEMhEhOAIEWtw48ITxakAoWSASnu+E5SP5rt:CH6Tdw19yBMABadExakAonF85Ct
                                                  MD5:7737810DEB8E7F00B5CE121EEB189BCB
                                                  SHA1:AD3C8C01DF6557FF6D425C5DDD6D25E5D111A045
                                                  SHA-256:4D6F4DE1AB65601030F536223F8A38DB16FBADBA9FC376332ABE9F352F86D191
                                                  SHA-512:77DECB08D6404699BC7201D5489087D215B65A35DE67CB7888ED22EEAEBD0FF866E314F940F5344E9DA8254B7755616D3D3EDABB1E44B0A3067B4BEC0527BEF0
                                                  Malicious:false
                                                  Preview:negligerer unslumbering trylletaster avlingers linjetllernes spaaedes,rejselotteriets mesocaecal konklusionerne paatage varmeovn sljdens armilla uninformatively gleesomeness..beskeler pinnywinkles fremtidsbyerne eksproprieringsplaner mellemkomsts afflated..underdealing turboventilator fauster.udslgendes collaborativeness rearisen aabningstalerne angie mortensen natklubberne,landzoneloven frowzled anapst.

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Kollegier\versiculus.fly

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8588
                                                  Entropy (8bit):4.888629932145179
                                                  Encrypted:false
                                                  SSDEEP:192:rMLE0UFUzJTwLJPW11HT2Vb+unZev3NulS69ESBn37o3Q:N0ygJTwRwT2h3svCvJBnD
                                                  MD5:E72E4DA0C887E3F827B738F35E0482EC
                                                  SHA1:257D468DC970555ABECFF7B05FD696ABDF6A7D40
                                                  SHA-256:7C8DA843782B56378C86B6DD3375900E26B2C65DD70CA92CA2825817CE3C8424
                                                  SHA-512:AEB104FD5B71E2C850F0F765E06C15A185B44FFAE6419E2047FCEAD27AEF5B158ED41DCC6F30CD8D377F751F845572597DF0C903B2A49D6CC6B5A389D3F6CB40
                                                  Malicious:false
                                                  Preview:.......j......D..^.......#.....{...W.....h......u...".....l.....m.?........+.........4.~....u(.]..P..........z.q.O........2...{......Y..L..v._.........].....P...`......A..............E....E.b.....Q.!...G.......9..M.P....!....#....2h........M.r......[... tKl...1.}.V.......U...........r[.0...g........d..,.i\{........._......3o.....q.B......L.....1...(...h..y...+[...-......0.2./.0..Lp.......J$W.........F......w.....g...".........[..Q...R.....!.@...........5.....`.|.....}....b,..q.........R~+..........y.....f....PM...D.....t..w/c+..s.].../.........>%.!...Y.Hu..L.............)...$....,\Z=..................f.....1.L.....i..........I.(.z.._..V.^...".....3...............@..L.+c...6\.....!............x...o.|.,.................q...Q......|..n.....9.....(...a.N...B....5........Y<......La..J].....`.....m.x....F.............................H....[....f.....Y........z...@.{....&*....S.......6.............A;.........!.......c............B.r.>......j........U.........L....Q.......M......R...

                                                  C:\Users\user\AppData\Local\outsplendour\urite\Kollegier\zoomanias.reb

                                                  Download File
                                                  Process:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12304
                                                  Entropy (8bit):4.929043817018574
                                                  Encrypted:false
                                                  SSDEEP:192:shTgoifXw8BGeup9Ymc6q/XRxZoQyWKjjI+4iUpZP7tOpSgIo/uunP6QLFx:shbigf7Ymj+ZT9KAs6vOWuPBL3
                                                  MD5:E5FF5853BB7E5F30F19224B4B4BC7C0A
                                                  SHA1:68493998A1960EBF37F3D96785356698B8113B08
                                                  SHA-256:9DACE326D0608440D7103A035D1E4FA5398AC900CD2E7FBF059E0E5E04251649
                                                  SHA-512:E654B7B95DDF8A07DE8422C4580DE51F08D7FCBDCB843DD1744C8CE9403AF6185533654320F7EE0F90EFB72EA696CBE93014A06FED513B14F259B8A4CB52172E
                                                  Malicious:false
                                                  Preview:............\..5..5...S.....s..{....J....$#...........)....Q.I.Q....Z.@@.....Xt..k.+........a....&..\.......3................Hp.......@...r........9.....}q.............,..H...............b..t...&{!.....>.....z....{................e!.....k.................X.................7..I...g....7....................-l...{..Q...e..].E.....,<...}.........7.=.!..Ig.....i...k.b~........................:......3).._...,x......?.I.......#.>...........@....,.s.,...g.......... ....}..z..........-..................&...y)h...x..x............./8.........N...Z...G........;.....2A...B.Y........+F..............R......L...........%p.....%. 6.p...{..W.......................:..H...v.......w.......P.~.,.....s..|...m..........[....c.......t...k......U........;........i........$.........q...%.............g...........H.o..........0.y.................\;^.Q/..._........@..O.x.......W....J{../...I...,............................f....v.}U.sbN....2....;..5.................VT.....5.....A.................|.6.........

                                                  C:\Windows\INF\WmiApRpl\WmiApRpl.h

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):3444
                                                  Entropy (8bit):5.011954215267298
                                                  Encrypted:false
                                                  SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                  MD5:B133A676D139032A27DE3D9619E70091
                                                  SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                  SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                  SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                  Malicious:false
                                                  Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                  C:\Windows\INF\WmiApRpl\WmiApRpl.ini

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):48786
                                                  Entropy (8bit):3.5854495362228453
                                                  Encrypted:false
                                                  SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                  MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                  SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                  SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                  SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                  Malicious:false
                                                  Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                  C:\Windows\Logs\SIH\SIH.20240606.073815.113.1.etl

                                                  Download File
                                                  Process:C:\Windows\System32\SIHClient.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):12288
                                                  Entropy (8bit):2.861959846493622
                                                  Encrypted:false
                                                  SSDEEP:192:F3ZiePsssls0sasGsdKJsv8sQ0oneNtWXlHJ:FJie0RGZzvR5Q0oneNtWXlHJ
                                                  MD5:48897AF76A16BA6C46E61EA8E5276635
                                                  SHA1:D10C2AEF1ABCD8AC3C891E1FD8F07CD318894A98
                                                  SHA-256:38FC4CA0B3A720AF07933BFBAB4386EBD793CE0D8B277FAEEC69A5D2F1A528A4
                                                  SHA-512:424DAC83303FB4DB4821FD0E40A37329CB49E8C05AB0BDA9ABA5D3ADBF9BDFA1C095652DB93394C6F565A684DA08A366CA54BA672B0DA834DD2EFC3C8C32864A
                                                  Malicious:false
                                                  Preview:....P...P.......................................P...!...............................d..........................eJ.......P......Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................FpTW...........................S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.4.0.6.0.6...0.7.3.8.1.5...1.1.3...1...e.t.l.......P.P.....d..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPB458.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\SIHClient.exe
                                                  File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):17126
                                                  Entropy (8bit):7.3117215578334935
                                                  Encrypted:false
                                                  SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                                  MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                                  SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                                  SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                                  SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                                  Malicious:false
                                                  Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                                  C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPD5D.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\SIHClient.exe
                                                  File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):17126
                                                  Entropy (8bit):7.3117215578334935
                                                  Encrypted:false
                                                  SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                                  MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                                  SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                                  SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                                  SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                                  Malicious:false
                                                  Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*

                                                  C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

                                                  Download File
                                                  Process:C:\Windows\System32\SIHClient.exe
                                                  File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):24490
                                                  Entropy (8bit):7.629144636744632
                                                  Encrypted:false
                                                  SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                                  MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                                  SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                                  SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                                  SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                                  Malicious:false
                                                  Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

                                                  C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP2E7A.tmp

                                                  Download File
                                                  Process:C:\Windows\System32\SIHClient.exe
                                                  File Type:Microsoft Cabinet archive data, single, 283 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 18148, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):17395
                                                  Entropy (8bit):7.297808060361236
                                                  Encrypted:false
                                                  SSDEEP:192:Y++BFO7SCP3yalzqDHt8Axz5GIqMvus/qnajBMWj6AkKFZYECUqY7S8Zuo1nqnaC:lCksHqzj0l9P6AnCUTZZl9lRo
                                                  MD5:E97660B7AB6838D0D96B5C6BB4328753
                                                  SHA1:AA104E62A8166E23D89C4769EC382EF345299D28
                                                  SHA-256:2BA13EB8A2705B01E54067B2A4FFC17CA2EB376EE3F3BA8D9C5FACE8C5AC1279
                                                  SHA-512:E867FE411239AD8EB66342C9522D48DBC9BB872210CD14B4C734661C4966AEC8CF022C510284B70736049E1F98C4EDA18651C7F7A3B7F6E1DEF782F4F89E8FB2
                                                  Malicious:false
                                                  Preview:MSCF............D................F...............B..........d.......................environment.xml.........CKu.]..0....8.K..:1..]d..A...... .F..9/.G.....hF.U....U.[....{F.D<(...T..h5.....Bz.=.a..6......Y...H..u...UY.......g.E...U...T.SM.%n..w......B.=.e....j.fZ.....YY....0.B...*.H........B.0.B....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". D.!....(....i..#_..cZ...Ei?..ui010...`.H.e....... K.....:U...45%.sH&V.NpH..U.........0...0..........3......9...d.......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...180712201748Z..190808201748Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*.H.............0.........|n.......Y..vx{<.4...*....c[.......8f...4.e.#W................V.8.;.N....9$T..=..O~..c...r..B.f........z.$........"...PM8.Yo..;.u.T\....{T...&J.

                                                  C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

                                                  Download File
                                                  Process:C:\Windows\System32\SIHClient.exe
                                                  File Type:Microsoft Cabinet archive data, single, 8785 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 36571, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):25457
                                                  Entropy (8bit):7.655665945183416
                                                  Encrypted:false
                                                  SSDEEP:384:i9eD3oXHzqAAteICxU2L/l/dVCmMMx2GCq3fQkclmIO+WccCuqvXolUjx2:3AhAteHq2L/l/dkMxjCgF+WcmqvS
                                                  MD5:9D27F0ECE5019003D4415EB80973B81A
                                                  SHA1:39C19D8842C0201FD203F6D1EA79CEBD2E880970
                                                  SHA-256:331D51A091FFA84C2959F2A5971EEC6EC976F00B84473E4861D72CBED4C97203
                                                  SHA-512:8DF4CBDF4248743F50DFB41B0E6CC94C61227505288B23742EA0E9C86A8FA71D2AA84621D094D867C91BA4B551256E7FDD28ADE5ABA6C23F68CD80A4768922E1
                                                  Malicious:false
                                                  Preview:MSCF....Q"......D..........................Q".. A..........d........C..............environment.cab...o..!.CCK.Z.8U[.?...)..).s.Jf2.2d.1..R8..Bf...2....Q...)S.JR.P.F...{..~.}.}....g.5...?........1@![?......B...d.l......X...g.^.....@...I......+F......4*T..R...:J...C>.\.x.M$..9j._5#._.D=;....8-%<.JQ....R`D..D.0.2/....B.t........A,=.=..R.T..53.8........K..........>..m';^..#O3..h5|h.U.......HP."[.'Sl.|.c..Y.B....i.....Sx.O..r(d..J.K.)..UM0(.I....Y......0(........C.P....H.F....:.C....G.....x.tC.V..Q$....."...J.l...p..XZ/.E'.pX...^....%i.B....`.O.}=W..~NV...W..!n.1m.C.).FX.!.82.......?..aP..J.<*...R=D.lon......%.7.$....F.|*.......,.R..X{:.].c.\.....J.*.};[.7W[$3..YCLE....p.t..*.y..yXc...^.{..N.......c.j.>....(..B..tdHI@..B.H.QI3.(.H.......>z.n{}.?...A.w..$=..%....0.(0.].IR..)rLcCN.......[./...l...*gB..%..>0.v.p..Y.......o...76...".d..6>i.L...H&......2....q.{..h..WL...C.r..Z..n.L.T..^5..%.o.....u^.G.6...3.L.p......2A.*Im._Z......;.2.}z..2

                                                  C:\Windows\System32\PerfStringBackup.INI

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):840878
                                                  Entropy (8bit):3.4224066455051885
                                                  Encrypted:false
                                                  SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                                  MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                                  SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                                  SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                                  SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                                  Malicious:false
                                                  Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                                  C:\Windows\System32\PerfStringBackup.TMP

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):840878
                                                  Entropy (8bit):3.4224066455051885
                                                  Encrypted:false
                                                  SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                                  MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                                  SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                                  SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                                  SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                                  Malicious:false
                                                  Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                                  C:\Windows\System32\perfc009.dat

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):137550
                                                  Entropy (8bit):3.409189992022338
                                                  Encrypted:false
                                                  SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
                                                  MD5:084B771A167854C5B38E25D4E199B637
                                                  SHA1:AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
                                                  SHA-256:B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
                                                  SHA-512:426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
                                                  Malicious:false
                                                  Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                                  C:\Windows\System32\perfh009.dat

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):715050
                                                  Entropy (8bit):3.278818886805871
                                                  Encrypted:false
                                                  SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
                                                  MD5:342BC94F85E143BE85B5B997163A0BB3
                                                  SHA1:8780CD88D169AE88C843E19239D9A32625F6A73E
                                                  SHA-256:F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
                                                  SHA-512:0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
                                                  Malicious:false
                                                  Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                                  C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):3444
                                                  Entropy (8bit):5.011954215267298
                                                  Encrypted:false
                                                  SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                  MD5:B133A676D139032A27DE3D9619E70091
                                                  SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                  SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                  SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                  Malicious:false
                                                  Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                  C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):48786
                                                  Entropy (8bit):3.5854495362228453
                                                  Encrypted:false
                                                  SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                  MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                  SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                  SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                  SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                  Malicious:false
                                                  Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                  C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):3444
                                                  Entropy (8bit):5.011954215267298
                                                  Encrypted:false
                                                  SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                  MD5:B133A676D139032A27DE3D9619E70091
                                                  SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                  SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                  SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                  Malicious:false
                                                  Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                  C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                                                  Download File
                                                  Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):48786
                                                  Entropy (8bit):3.5854495362228453
                                                  Encrypted:false
                                                  SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                                  MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                                  SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                                  SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                                  SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                                  Malicious:false
                                                  Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Entropy (8bit):7.784906551563071
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:t6V3uvyaAP.exe
                                                  File size:310'578 bytes
                                                  MD5:df6444cce911396d8f4f16efe55f1399
                                                  SHA1:bb4f916b3e1195fbf2e0a4afffa91eb331bc642a
                                                  SHA256:00da40287f0e59b0c96a44a25d0c9a45814f1fbbc9bf7fec9c168d1b7704f5ff
                                                  SHA512:16d66937afe75cc575591fd9ef14e9cb6639be9230b409dd65fd42a345e120a6d59a69e7860f9b546300b36366f8df1ccae549fc6af7df702ede303768a79bdf
                                                  SSDEEP:6144:8Z/qRrG7Vs9P31z4ms8WhHhRkwISCyIF3UdLOpFtwUhaU+jwbxBKtDon:8BT7+99zG84UxHyu3UdLOpFmUcJEutA
                                                  TLSH:0064025077E9486AE1E142B12CA296F8EA7BBE401821570B8F187F7F3D3A5B14E17247
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L...s..V.................`...*.....

                                                  File Icon

                                                  Icon Hash:a5d56872428d9074

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x40326a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x567F8473 [Sun Dec 27 06:25:55 2015 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:d4b94e8ee3f620a89d114b9da4b31873

                                                  Entrypoint Preview

                                                  Instruction
                                                  sub esp, 000002D4h
                                                  push ebp
                                                  push esi
                                                  push 00000020h
                                                  xor ebp, ebp
                                                  pop esi
                                                  mov dword ptr [esp+0Ch], ebp
                                                  push 00008001h
                                                  mov dword ptr [esp+0Ch], 00409300h
                                                  mov dword ptr [esp+18h], ebp
                                                  call dword ptr [004070B0h]
                                                  call dword ptr [004070ACh]
                                                  cmp ax, 00000006h
                                                  je 00007F0E407D7FC3h
                                                  push ebp
                                                  call 00007F0E407DB106h
                                                  cmp eax, ebp
                                                  je 00007F0E407D7FB9h
                                                  push 00000C00h
                                                  call eax
                                                  push ebx
                                                  push edi
                                                  push 004092F4h
                                                  call 00007F0E407DB083h
                                                  push 004092ECh
                                                  call 00007F0E407DB079h
                                                  push 004092E0h
                                                  call 00007F0E407DB06Fh
                                                  push 00000009h
                                                  call 00007F0E407DB0D4h
                                                  push 00000007h
                                                  call 00007F0E407DB0CDh
                                                  mov dword ptr [00429224h], eax
                                                  call dword ptr [00407044h]
                                                  push ebp
                                                  call dword ptr [004072A8h]
                                                  mov dword ptr [004292D8h], eax
                                                  push ebp
                                                  lea eax, dword ptr [esp+34h]
                                                  push 000002B4h
                                                  push eax
                                                  push ebp
                                                  push 004206C8h
                                                  call dword ptr [0040718Ch]
                                                  push 004092C8h
                                                  push 00428220h
                                                  call 00007F0E407DACBAh
                                                  call dword ptr [004070A8h]
                                                  mov ebx, 00434000h
                                                  push eax
                                                  push ebx
                                                  call 00007F0E407DACA8h
                                                  push ebp
                                                  call dword ptr [00407178h]

                                                  Rich Headers

                                                  Programming Language:
                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x74bc0xa0.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x50c8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x5ffa0x6000df2f822ba33541e61d4a603b60bbdbccFalse0.6675211588541666data6.472885474718374IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x70000x13700x1400a10c5fabf76461b1b26713fde2284808False0.4404296875data5.0714431097950134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x90000x203180x60045bc104aba688d708375b6b0133d1563False0.5084635416666666data3.9955723529870646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .ndata0x2a0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x530000x50c80x5200426bb29050c5f87bd5f46d9e517e5ca2False0.18064024390243902data2.915223590153904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x532980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.10197095435684647
                                                  RT_ICON0x558400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.17659474671669795
                                                  RT_ICON0x568e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.21598360655737706
                                                  RT_ICON0x572700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2703900709219858
                                                  RT_DIALOG0x576d80x100dataEnglishUnited States0.5234375
                                                  RT_DIALOG0x577d80x11cdataEnglishUnited States0.6056338028169014
                                                  RT_DIALOG0x578f80xc4dataEnglishUnited States0.5918367346938775
                                                  RT_DIALOG0x579c00x60dataEnglishUnited States0.7291666666666666
                                                  RT_GROUP_ICON0x57a200x3edataEnglishUnited States0.8064516129032258
                                                  RT_VERSION0x57a600x328dataEnglishUnited States0.47029702970297027
                                                  RT_MANIFEST0x57d880x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                  USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                  SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                  ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 6, 2024 13:38:30.720563889 CEST5543953192.168.2.6162.159.36.2
                                                  Jun 6, 2024 13:38:30.725595951 CEST5355439162.159.36.2192.168.2.6
                                                  Jun 6, 2024 13:38:30.725682974 CEST5543953192.168.2.6162.159.36.2
                                                  Jun 6, 2024 13:38:30.725749016 CEST5543953192.168.2.6162.159.36.2
                                                  Jun 6, 2024 13:38:30.730676889 CEST5355439162.159.36.2192.168.2.6
                                                  Jun 6, 2024 13:38:31.317081928 CEST5355439162.159.36.2192.168.2.6
                                                  Jun 6, 2024 13:38:31.317751884 CEST5543953192.168.2.6162.159.36.2
                                                  Jun 6, 2024 13:38:31.323554039 CEST5355439162.159.36.2192.168.2.6
                                                  Jun 6, 2024 13:38:31.323616982 CEST5543953192.168.2.6162.159.36.2

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jun 6, 2024 13:38:30.720022917 CEST5358878162.159.36.2192.168.2.6
                                                  Jun 6, 2024 13:38:31.357376099 CEST5220153192.168.2.61.1.1.1
                                                  Jun 6, 2024 13:38:31.365968943 CEST53522011.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jun 6, 2024 13:38:31.357376099 CEST192.168.2.61.1.1.10xc37aStandard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jun 6, 2024 13:38:31.365968943 CEST1.1.1.1192.168.2.60xc37aName error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:37:58
                                                  Start date:06/06/2024
                                                  Path:C:\Users\user\Desktop\t6V3uvyaAP.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\t6V3uvyaAP.exe"
                                                  Imagebase:0x400000
                                                  File size:310'578 bytes
                                                  MD5 hash:DF6444CCE911396D8F4F16EFE55F1399
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000003.2203633579.000000000054A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.4567222236.000000000054A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4568602260.00000000055C3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:1
                                                  Start time:07:37:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\dllhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                  Imagebase:0x7ff642ec0000
                                                  File size:21'312 bytes
                                                  MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x53^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x55^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x43^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:07:38:03
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x75^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:07:38:04
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x49^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:23
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x51^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:26
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x71^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:28
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:29
                                                  Start time:07:38:05
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:30
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x48^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:31
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:32
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x42^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:33
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:34
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x49^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:35
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:36
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x51^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:37
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:38
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:39
                                                  Start time:07:38:06
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:40
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:41
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:42
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:43
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:44
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x11^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:45
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:46
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:47
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:48
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:49
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:50
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:51
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:52
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:53
                                                  Start time:07:38:07
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:54
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:55
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:56
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4B^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:57
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:58
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x55^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:59
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:60
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x50^38"
                                                  Imagebase:0x7ff7403e0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:61
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:62
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x45^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:63
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:64
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:65
                                                  Start time:07:38:08
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:66
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x52^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:67
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:68
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x08^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:69
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:70
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x42^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:71
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:72
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:73
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:74
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:75
                                                  Start time:07:38:09
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:76
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:77
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:78
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:79
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:80
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x79^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:81
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:82
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x49^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:83
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:84
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x56^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:85
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:86
                                                  Start time:07:38:10
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x43^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:87
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:88
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x48^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:89
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:90
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:91
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:92
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4B^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:93
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:94
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:95
                                                  Start time:07:38:11
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:96
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:97
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:98
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x12^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:99
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:100
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:101
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:102
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:103
                                                  Start time:07:38:12
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:104
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:105
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:106
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:107
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:108
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:109
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:110
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:111
                                                  Start time:07:38:13
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:112
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:113
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:114
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:115
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:116
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:117
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:118
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:119
                                                  Start time:07:38:14
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:120
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\SIHClient.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\sihclient.exe /cv MfnYdPAyJ0Ko6HO8zMAHOA.0.2
                                                  Imagebase:0x7ff61f6e0000
                                                  File size:380'720 bytes
                                                  MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:121
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:122
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:123
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:124
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:125
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:126
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:127
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:128
                                                  Start time:07:38:15
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:129
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:130
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:131
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:132
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:133
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:134
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:135
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x17^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:136
                                                  Start time:07:38:16
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:139
                                                  Start time:07:38:17
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:140
                                                  Start time:07:38:17
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:141
                                                  Start time:07:38:17
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:142
                                                  Start time:07:38:17
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:143
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:144
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:145
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:146
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:147
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x08^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:148
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:149
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:150
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:151
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x13^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:152
                                                  Start time:07:38:18
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:153
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:154
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:155
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x6D^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:156
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:157
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x63^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:158
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:159
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x74^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:160
                                                  Start time:07:38:19
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:161
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x68^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:162
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:163
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x63^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:164
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:165
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x6A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:166
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:167
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:168
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:169
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:170
                                                  Start time:07:38:20
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:171
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:172
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:173
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:174
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:175
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x70^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:176
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:177
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:178
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:179
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:180
                                                  Start time:07:38:21
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:181
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x52^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:182
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:183
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x53^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:184
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:185
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x47^38"
                                                  Imagebase:0x7ff7934f0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:186
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:187
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:188
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:189
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x67^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:190
                                                  Start time:07:38:22
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:191
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:192
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:193
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:194
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:195
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x49^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:196
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:197
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x45^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:198
                                                  Start time:07:38:23
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:199
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x63^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:200
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:201
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:202
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:203
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:204
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:205
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:206
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:207
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:208
                                                  Start time:07:38:24
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:209
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0B^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:210
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:211
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x17^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:212
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:213
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:214
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:215
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:216
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:217
                                                  Start time:07:38:25
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:218
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:219
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:220
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:221
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:222
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:223
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:224
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:225
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:226
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:227
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:228
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:229
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:230
                                                  Start time:07:38:26
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:231
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:232
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:233
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:234
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:235
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x13^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:236
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:237
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x17^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:238
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:239
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:240
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:241
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:242
                                                  Start time:07:38:27
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:243
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:244
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:245
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:246
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:247
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:248
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:249
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:250
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:251
                                                  Start time:07:38:28
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x7ff6ae840000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:252
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:253
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:254
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:255
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:256
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:257
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:258
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:259
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:260
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:261
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:262
                                                  Start time:07:38:29
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:263
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:264
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:265
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:266
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:267
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:268
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:269
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:270
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:271
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:272
                                                  Start time:07:38:30
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:273
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x10^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:274
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:275
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x12^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:276
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:277
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:278
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:279
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x56^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:280
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:281
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x08^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:282
                                                  Start time:07:38:31
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:283
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:284
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:285
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x12^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:286
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:287
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:288
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:289
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4B^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:290
                                                  Start time:07:38:32
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:291
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x55^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:292
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:293
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x50^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:294
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:295
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x45^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:296
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:297
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:298
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:299
                                                  Start time:07:38:33
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:wmiadap.exe /F /T /R
                                                  Imagebase:0x7ff6ead30000
                                                  File size:182'272 bytes
                                                  MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:300
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x52^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:301
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:302
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:303
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:304
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:305
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:306
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x79^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:307
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:308
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:309
                                                  Start time:07:38:34
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:310
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x55^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:311
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:312
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x43^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:313
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:314
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x43^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:315
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:316
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4D^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:317
                                                  Start time:07:38:35
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:318
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:319
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:320
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:321
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:322
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:323
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:324
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:325
                                                  Start time:07:38:36
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:326
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x13^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:327
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:328
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x7ff6bac90000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:329
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:330
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:331
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:332
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:333
                                                  Start time:07:38:37
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:334
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:335
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:336
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x11^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:337
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:338
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x17^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:339
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:340
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:341
                                                  Start time:07:38:38
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:342
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:343
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:344
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:345
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:346
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:347
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:348
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:349
                                                  Start time:07:38:39
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:350
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:351
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:352
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:353
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:354
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:355
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:356
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:357
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:358
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:359
                                                  Start time:07:38:40
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:360
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x08^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:361
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:362
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:363
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:364
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x11^38"
                                                  Imagebase:0xe20000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:365
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:366
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:367
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:368
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4B^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:369
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:370
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x55^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:371
                                                  Start time:07:38:41
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:372
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x50^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:373
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:374
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x45^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:375
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:376
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x7ff7403e0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:377
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:378
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x52^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:379
                                                  Start time:07:38:42
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:380
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x08^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:381
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:382
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x42^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:383
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:384
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:385
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:386
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:387
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:388
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:389
                                                  Start time:07:38:43
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:390
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:391
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:392
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x79^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:393
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:394
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:395
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:396
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x43^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:397
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:398
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\svchost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                  Imagebase:0x7ff7403e0000
                                                  File size:55'320 bytes
                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:399
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x47^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:400
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0xe20000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:401
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x42^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:402
                                                  Start time:07:38:44
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:403
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:404
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:405
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:406
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:407
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:408
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:409
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:410
                                                  Start time:07:38:45
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:411
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x13^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:412
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff687660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:413
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:414
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:415
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:416
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:417
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:418
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:419
                                                  Start time:07:38:46
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:420
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:421
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:422
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:423
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x12^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:424
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:425
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:426
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:427
                                                  Start time:07:38:47
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:428
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:429
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:430
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:431
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:432
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:433
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:434
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:435
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:436
                                                  Start time:07:38:48
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7403e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:437
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:438
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:439
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x13^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:440
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:441
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x17^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:442
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:443
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:444
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:445
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:446
                                                  Start time:07:38:49
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:447
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:448
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:449
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:450
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:451
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:452
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:453
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x53^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:454
                                                  Start time:07:38:50
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:455
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x55^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:456
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:457
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x43^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:458
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:459
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:460
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:461
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x15^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:462
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:463
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x14^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:464
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:465
                                                  Start time:07:38:51
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:466
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:467
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x1C^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:468
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:469
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x65^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:470
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:471
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x47^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:472
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:473
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:474
                                                  Start time:07:38:52
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:475
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:476
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:477
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x71^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:478
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:479
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:480
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:481
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x48^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:482
                                                  Start time:07:38:53
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:483
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x42^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:484
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:485
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x49^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:486
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:487
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x51^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:488
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff74cd10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:489
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x76^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:490
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:491
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:492
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:493
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x49^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:494
                                                  Start time:07:38:54
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:495
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x45^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:496
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff687660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:497
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x67^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:498
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:499
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0E^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:500
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:501
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:502
                                                  Start time:07:38:55
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:503
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:504
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:505
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x54^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:506
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:507
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x12^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:508
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0xe20000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:509
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:510
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:511
                                                  Start time:07:38:56
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:512
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:513
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:514
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:515
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:516
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:517
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:518
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:519
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:520
                                                  Start time:07:38:57
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:521
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:522
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:523
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:524
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0xe20000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:525
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:526
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:527
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:528
                                                  Start time:07:38:58
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:529
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:530
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:531
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:532
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:533
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:534
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:535
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:536
                                                  Start time:07:38:59
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:537
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0A^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:538
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:539
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:540
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:541
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x4F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:542
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:543
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x06^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:544
                                                  Start time:07:39:00
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:545
                                                  Start time:07:39:01
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x16^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:546
                                                  Start time:07:39:01
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:547
                                                  Start time:07:39:01
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x0F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:548
                                                  Start time:07:39:01
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:549
                                                  Start time:07:39:01
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:cmd /c set /a "0x5F^38"
                                                  Imagebase:0x1c0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:550
                                                  Start time:07:39:01
                                                  Start date:06/06/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:20.6%
                                                    Dynamic/Decrypted Code Coverage:13.7%
                                                    Signature Coverage:20.8%
                                                    Total number of Nodes:1545
                                                    Total number of Limit Nodes:45
                                                    execution_graph 5070 402840 5071 402bbf 18 API calls 5070->5071 5073 40284e 5071->5073 5072 402864 5075 405bcf 2 API calls 5072->5075 5073->5072 5074 402bbf 18 API calls 5073->5074 5074->5072 5076 40286a 5075->5076 5098 405bf4 GetFileAttributesW CreateFileW 5076->5098 5078 402877 5079 402883 GlobalAlloc 5078->5079 5080 40291a 5078->5080 5083 402911 CloseHandle 5079->5083 5084 40289c 5079->5084 5081 402922 DeleteFileW 5080->5081 5082 402935 5080->5082 5081->5082 5083->5080 5099 403222 SetFilePointer 5084->5099 5086 4028a2 5087 40320c ReadFile 5086->5087 5088 4028ab GlobalAlloc 5087->5088 5089 4028bb 5088->5089 5090 4028ef 5088->5090 5091 403027 36 API calls 5089->5091 5092 405ca6 WriteFile 5090->5092 5093 4028c8 5091->5093 5094 4028fb GlobalFree 5092->5094 5096 4028e6 GlobalFree 5093->5096 5095 403027 36 API calls 5094->5095 5097 40290e 5095->5097 5096->5090 5097->5083 5098->5078 5099->5086 5100 10001000 5103 1000101b 5100->5103 5110 10001516 5103->5110 5105 10001020 5106 10001024 5105->5106 5107 10001027 GlobalAlloc 5105->5107 5108 1000153d 3 API calls 5106->5108 5107->5106 5109 10001019 5108->5109 5112 1000151c 5110->5112 5111 10001522 5111->5105 5112->5111 5113 1000152e GlobalFree 5112->5113 5113->5105 5114 401cc0 5115 402ba2 18 API calls 5114->5115 5116 401cc7 5115->5116 5117 402ba2 18 API calls 5116->5117 5118 401ccf GetDlgItem 5117->5118 5119 402531 5118->5119 5120 4029c0 5121 402ba2 18 API calls 5120->5121 5122 4029c6 5121->5122 5123 40281e 5122->5123 5124 4029f9 5122->5124 5126 4029d4 5122->5126 5124->5123 5125 406041 18 API calls 5124->5125 5125->5123 5126->5123 5128 405f66 wsprintfW 5126->5128 5128->5123 4006 401fc3 4007 401fd5 4006->4007 4017 402087 4006->4017 4029 402bbf 4007->4029 4009 401423 25 API calls 4013 4021e1 4009->4013 4011 402bbf 18 API calls 4012 401fe5 4011->4012 4014 401ffb LoadLibraryExW 4012->4014 4015 401fed GetModuleHandleW 4012->4015 4016 40200c 4014->4016 4014->4017 4015->4014 4015->4016 4035 406464 WideCharToMultiByte 4016->4035 4017->4009 4020 402056 4083 40517e 4020->4083 4021 40201d 4022 402025 4021->4022 4023 40203c 4021->4023 4080 401423 4022->4080 4038 10001759 4023->4038 4026 40202d 4026->4013 4027 402079 FreeLibrary 4026->4027 4027->4013 4030 402bcb 4029->4030 4094 406041 4030->4094 4033 401fdc 4033->4011 4036 402017 4035->4036 4037 40648e GetProcAddress 4035->4037 4036->4020 4036->4021 4037->4036 4039 10001789 4038->4039 4133 10001b18 4039->4133 4041 10001790 4042 100018a6 4041->4042 4043 100017a1 4041->4043 4044 100017a8 4041->4044 4042->4026 4182 10002286 4043->4182 4165 100022d0 4044->4165 4049 1000180c 4055 10001812 4049->4055 4056 1000184e 4049->4056 4050 100017ee 4195 100024a9 4050->4195 4051 100017d7 4064 100017cd 4051->4064 4192 10002b5f 4051->4192 4052 100017be 4054 100017c4 4052->4054 4060 100017cf 4052->4060 4054->4064 4176 100028a4 4054->4176 4062 100015b4 3 API calls 4055->4062 4058 100024a9 10 API calls 4056->4058 4065 10001840 4058->4065 4059 100017f4 4206 100015b4 4059->4206 4186 10002645 4060->4186 4063 10001828 4062->4063 4068 100024a9 10 API calls 4063->4068 4064->4049 4064->4050 4071 10001895 4065->4071 4217 1000246c 4065->4217 4068->4065 4070 100017d5 4070->4064 4071->4042 4073 1000189f GlobalFree 4071->4073 4073->4042 4077 10001881 4077->4071 4221 1000153d wsprintfW 4077->4221 4078 1000187a FreeLibrary 4078->4077 4081 40517e 25 API calls 4080->4081 4082 401431 4081->4082 4082->4026 4084 405199 4083->4084 4085 40523b 4083->4085 4086 4051b5 lstrlenW 4084->4086 4087 406041 18 API calls 4084->4087 4085->4026 4088 4051c3 lstrlenW 4086->4088 4089 4051de 4086->4089 4087->4086 4088->4085 4090 4051d5 lstrcatW 4088->4090 4091 4051f1 4089->4091 4092 4051e4 SetWindowTextW 4089->4092 4090->4089 4091->4085 4093 4051f7 SendMessageW SendMessageW SendMessageW 4091->4093 4092->4091 4093->4085 4099 40604e 4094->4099 4095 406299 4096 402bec 4095->4096 4128 40601f lstrcpynW 4095->4128 4096->4033 4112 4062b3 4096->4112 4098 406101 GetVersion 4098->4099 4099->4095 4099->4098 4100 406267 lstrlenW 4099->4100 4103 406041 10 API calls 4099->4103 4105 40617c GetSystemDirectoryW 4099->4105 4106 40618f GetWindowsDirectoryW 4099->4106 4107 4062b3 5 API calls 4099->4107 4108 4061c3 SHGetSpecialFolderLocation 4099->4108 4109 406041 10 API calls 4099->4109 4110 406208 lstrcatW 4099->4110 4121 405eec RegOpenKeyExW 4099->4121 4126 405f66 wsprintfW 4099->4126 4127 40601f lstrcpynW 4099->4127 4100->4099 4103->4100 4105->4099 4106->4099 4107->4099 4108->4099 4111 4061db SHGetPathFromIDListW CoTaskMemFree 4108->4111 4109->4099 4110->4099 4111->4099 4113 4062c0 4112->4113 4115 406329 CharNextW 4113->4115 4118 406336 4113->4118 4119 406315 CharNextW 4113->4119 4120 406324 CharNextW 4113->4120 4129 405a00 4113->4129 4114 40633b CharPrevW 4114->4118 4115->4113 4115->4118 4116 40635c 4116->4033 4118->4114 4118->4116 4119->4113 4120->4115 4122 405f60 4121->4122 4123 405f20 RegQueryValueExW 4121->4123 4122->4099 4124 405f41 RegCloseKey 4123->4124 4124->4122 4126->4099 4127->4099 4128->4096 4130 405a06 4129->4130 4131 405a1c 4130->4131 4132 405a0d CharNextW 4130->4132 4131->4113 4132->4130 4224 1000121b GlobalAlloc 4133->4224 4135 10001b3c 4225 1000121b GlobalAlloc 4135->4225 4137 10001d7a GlobalFree GlobalFree GlobalFree 4138 10001d97 4137->4138 4157 10001de1 4137->4157 4139 100020ee 4138->4139 4148 10001dac 4138->4148 4138->4157 4141 10002110 GetModuleHandleW 4139->4141 4139->4157 4140 10001c1d GlobalAlloc 4161 10001b47 4140->4161 4143 10002121 LoadLibraryW 4141->4143 4144 10002136 4141->4144 4142 10001c86 GlobalFree 4142->4161 4143->4144 4143->4157 4232 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4144->4232 4145 10001c68 lstrcpyW 4146 10001c72 lstrcpyW 4145->4146 4146->4161 4148->4157 4228 1000122c 4148->4228 4149 10002188 4151 10002195 lstrlenW 4149->4151 4149->4157 4233 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4151->4233 4152 10002148 4152->4149 4164 10002172 GetProcAddress 4152->4164 4153 10002048 4156 10002090 lstrcpyW 4153->4156 4153->4157 4156->4157 4157->4041 4158 10001cc4 4158->4161 4226 1000158f GlobalSize GlobalAlloc 4158->4226 4159 10001f37 GlobalFree 4159->4161 4160 100021af 4160->4157 4161->4137 4161->4140 4161->4142 4161->4145 4161->4146 4161->4153 4161->4157 4161->4158 4161->4159 4162 1000122c 2 API calls 4161->4162 4231 1000121b GlobalAlloc 4161->4231 4162->4161 4164->4149 4172 100022e8 4165->4172 4167 10002415 GlobalFree 4171 100017ae 4167->4171 4167->4172 4168 100023d3 lstrlenW 4168->4167 4175 100023de 4168->4175 4169 100023ba GlobalAlloc CLSIDFromString 4169->4167 4170 1000238f GlobalAlloc WideCharToMultiByte 4170->4167 4171->4051 4171->4052 4171->4064 4172->4167 4172->4168 4172->4169 4172->4170 4173 1000122c GlobalAlloc lstrcpynW 4172->4173 4235 100012ba 4172->4235 4173->4172 4175->4167 4239 100025d9 4175->4239 4178 100028b6 4176->4178 4177 1000295b _open 4179 10002979 4177->4179 4178->4177 4180 10002a75 4179->4180 4181 10002a6a GetLastError 4179->4181 4180->4064 4181->4180 4183 10002296 4182->4183 4184 100017a7 4182->4184 4183->4184 4185 100022a8 GlobalAlloc 4183->4185 4184->4044 4185->4183 4190 10002661 4186->4190 4187 100026b2 GlobalAlloc 4191 100026d4 4187->4191 4188 100026c5 4189 100026ca GlobalSize 4188->4189 4188->4191 4189->4191 4190->4187 4190->4188 4191->4070 4193 10002b6a 4192->4193 4194 10002baa GlobalFree 4193->4194 4242 1000121b GlobalAlloc 4195->4242 4197 10002530 StringFromGUID2 4202 100024b3 4197->4202 4198 10002541 lstrcpynW 4198->4202 4199 1000250b MultiByteToWideChar 4199->4202 4200 10002554 wsprintfW 4200->4202 4201 10002571 GlobalFree 4201->4202 4202->4197 4202->4198 4202->4199 4202->4200 4202->4201 4203 100025ac GlobalFree 4202->4203 4204 10001272 2 API calls 4202->4204 4243 100012e1 4202->4243 4203->4059 4204->4202 4247 1000121b GlobalAlloc 4206->4247 4208 100015ba 4210 100015e1 4208->4210 4211 100015c7 lstrcpyW 4208->4211 4212 100015fb 4210->4212 4213 100015e6 wsprintfW 4210->4213 4211->4212 4214 10001272 4212->4214 4213->4212 4215 100012b5 GlobalFree 4214->4215 4216 1000127b GlobalAlloc lstrcpynW 4214->4216 4215->4065 4216->4215 4218 1000247a 4217->4218 4220 10001861 4217->4220 4219 10002496 GlobalFree 4218->4219 4218->4220 4219->4218 4220->4077 4220->4078 4222 10001272 2 API calls 4221->4222 4223 1000155e 4222->4223 4223->4071 4224->4135 4225->4161 4227 100015ad 4226->4227 4227->4158 4234 1000121b GlobalAlloc 4228->4234 4230 1000123b lstrcpynW 4230->4157 4231->4161 4232->4152 4233->4160 4234->4230 4236 100012c1 4235->4236 4237 1000122c 2 API calls 4236->4237 4238 100012df 4237->4238 4238->4172 4240 100025e7 VirtualAlloc 4239->4240 4241 1000263d 4239->4241 4240->4241 4241->4175 4242->4202 4244 100012ea 4243->4244 4245 1000130c 4243->4245 4244->4245 4246 100012f0 lstrcpyW 4244->4246 4245->4202 4246->4245 4247->4208 5129 4016c4 5130 402bbf 18 API calls 5129->5130 5131 4016ca GetFullPathNameW 5130->5131 5132 4016e4 5131->5132 5138 401706 5131->5138 5134 406362 2 API calls 5132->5134 5132->5138 5133 40171b GetShortPathNameW 5135 402a4c 5133->5135 5136 4016f6 5134->5136 5136->5138 5139 40601f lstrcpynW 5136->5139 5138->5133 5138->5135 5139->5138 5150 40194e 5151 402bbf 18 API calls 5150->5151 5152 401955 lstrlenW 5151->5152 5153 402531 5152->5153 5154 4027ce 5155 4027d6 5154->5155 5156 4027da FindNextFileW 5155->5156 5158 4027ec 5155->5158 5157 402833 5156->5157 5156->5158 5160 40601f lstrcpynW 5157->5160 5160->5158 4900 401754 4901 402bbf 18 API calls 4900->4901 4902 40175b 4901->4902 4903 405c23 2 API calls 4902->4903 4904 401762 4903->4904 4905 405c23 2 API calls 4904->4905 4905->4904 5161 4048d4 5162 404900 5161->5162 5163 4048e4 5161->5163 5165 404933 5162->5165 5166 404906 SHGetPathFromIDListW 5162->5166 5172 405748 GetDlgItemTextW 5163->5172 5168 40491d SendMessageW 5166->5168 5169 404916 5166->5169 5167 4048f1 SendMessageW 5167->5162 5168->5165 5170 40140b 2 API calls 5169->5170 5170->5168 5172->5167 5173 401d56 GetDC GetDeviceCaps 5174 402ba2 18 API calls 5173->5174 5175 401d74 MulDiv ReleaseDC 5174->5175 5176 402ba2 18 API calls 5175->5176 5177 401d93 5176->5177 5178 406041 18 API calls 5177->5178 5179 401dcc CreateFontIndirectW 5178->5179 5180 402531 5179->5180 4906 4014d7 4907 402ba2 18 API calls 4906->4907 4908 4014dd Sleep 4907->4908 4910 402a4c 4908->4910 5188 401a57 5189 402ba2 18 API calls 5188->5189 5190 401a5d 5189->5190 5191 402ba2 18 API calls 5190->5191 5192 401a05 5191->5192 5193 40155b 5194 4029f2 5193->5194 5197 405f66 wsprintfW 5194->5197 5196 4029f7 5197->5196 4968 401ddc 4969 402ba2 18 API calls 4968->4969 4970 401de2 4969->4970 4971 402ba2 18 API calls 4970->4971 4972 401deb 4971->4972 4973 401df2 ShowWindow 4972->4973 4974 401dfd EnableWindow 4972->4974 4975 402a4c 4973->4975 4974->4975 5063 4022df 5064 402bbf 18 API calls 5063->5064 5065 4022ee 5064->5065 5066 402bbf 18 API calls 5065->5066 5067 4022f7 5066->5067 5068 402bbf 18 API calls 5067->5068 5069 402301 GetPrivateProfileStringW 5068->5069 5198 401bdf 5199 402ba2 18 API calls 5198->5199 5200 401be6 5199->5200 5201 402ba2 18 API calls 5200->5201 5202 401bf0 5201->5202 5203 401c00 5202->5203 5204 402bbf 18 API calls 5202->5204 5205 401c10 5203->5205 5208 402bbf 18 API calls 5203->5208 5204->5203 5206 401c1b 5205->5206 5207 401c5f 5205->5207 5209 402ba2 18 API calls 5206->5209 5210 402bbf 18 API calls 5207->5210 5208->5205 5211 401c20 5209->5211 5212 401c64 5210->5212 5213 402ba2 18 API calls 5211->5213 5214 402bbf 18 API calls 5212->5214 5215 401c29 5213->5215 5216 401c6d FindWindowExW 5214->5216 5217 401c31 SendMessageTimeoutW 5215->5217 5218 401c4f SendMessageW 5215->5218 5219 401c8f 5216->5219 5217->5219 5218->5219 5220 401960 5221 402ba2 18 API calls 5220->5221 5222 401967 5221->5222 5223 402ba2 18 API calls 5222->5223 5224 401971 5223->5224 5225 402bbf 18 API calls 5224->5225 5226 40197a 5225->5226 5227 40198e lstrlenW 5226->5227 5228 4019ca 5226->5228 5229 401998 5227->5229 5229->5228 5233 40601f lstrcpynW 5229->5233 5231 4019b3 5231->5228 5232 4019c0 lstrlenW 5231->5232 5232->5228 5233->5231 5234 401662 5235 402bbf 18 API calls 5234->5235 5236 401668 5235->5236 5237 406362 2 API calls 5236->5237 5238 40166e 5237->5238 5239 4066e3 5241 406567 5239->5241 5240 406ed2 5241->5240 5242 4065f1 GlobalAlloc 5241->5242 5243 4065e8 GlobalFree 5241->5243 5244 406668 GlobalAlloc 5241->5244 5245 40665f GlobalFree 5241->5245 5242->5240 5242->5241 5243->5242 5244->5240 5244->5241 5245->5244 5246 4019e4 5247 402bbf 18 API calls 5246->5247 5248 4019eb 5247->5248 5249 402bbf 18 API calls 5248->5249 5250 4019f4 5249->5250 5251 4019fb lstrcmpiW 5250->5251 5252 401a0d lstrcmpW 5250->5252 5253 401a01 5251->5253 5252->5253 4248 4025e5 4262 402ba2 4248->4262 4250 4025f4 4251 40263a ReadFile 4250->4251 4253 4026d3 4250->4253 4254 40267a MultiByteToWideChar 4250->4254 4255 40272f 4250->4255 4258 4026a0 SetFilePointer MultiByteToWideChar 4250->4258 4259 402740 4250->4259 4261 40272d 4250->4261 4274 405c77 ReadFile 4250->4274 4251->4250 4251->4261 4253->4250 4253->4261 4265 405cd5 SetFilePointer 4253->4265 4254->4250 4276 405f66 wsprintfW 4255->4276 4258->4250 4260 402761 SetFilePointer 4259->4260 4259->4261 4260->4261 4263 406041 18 API calls 4262->4263 4264 402bb6 4263->4264 4264->4250 4266 405cf1 4265->4266 4267 405d0d 4265->4267 4268 405c77 ReadFile 4266->4268 4267->4253 4269 405cfd 4268->4269 4269->4267 4270 405d16 SetFilePointer 4269->4270 4271 405d3e SetFilePointer 4269->4271 4270->4271 4272 405d21 4270->4272 4271->4267 4277 405ca6 WriteFile 4272->4277 4275 405c95 4274->4275 4275->4250 4276->4261 4278 405cc4 4277->4278 4278->4267 4279 401e66 4280 402bbf 18 API calls 4279->4280 4281 401e6c 4280->4281 4282 40517e 25 API calls 4281->4282 4283 401e76 4282->4283 4297 4056ff CreateProcessW 4283->4297 4286 401edb CloseHandle 4289 40281e 4286->4289 4287 401e8c WaitForSingleObject 4288 401e9e 4287->4288 4290 401eb0 GetExitCodeProcess 4288->4290 4300 406431 4288->4300 4292 401ec2 4290->4292 4293 401ecf 4290->4293 4304 405f66 wsprintfW 4292->4304 4293->4286 4294 401ecd 4293->4294 4294->4286 4298 405732 CloseHandle 4297->4298 4299 401e7c 4297->4299 4298->4299 4299->4286 4299->4287 4299->4289 4301 40644e PeekMessageW 4300->4301 4302 406444 DispatchMessageW 4301->4302 4303 401ea5 WaitForSingleObject 4301->4303 4302->4301 4303->4288 4304->4294 4314 401767 4315 402bbf 18 API calls 4314->4315 4316 40176e 4315->4316 4317 401796 4316->4317 4318 40178e 4316->4318 4376 40601f lstrcpynW 4317->4376 4375 40601f lstrcpynW 4318->4375 4321 401794 4325 4062b3 5 API calls 4321->4325 4322 4017a1 4377 4059d3 lstrlenW CharPrevW 4322->4377 4351 4017b3 4325->4351 4327 4017ef 4383 405bcf GetFileAttributesW 4327->4383 4330 4017c5 CompareFileTime 4330->4351 4331 401885 4333 40517e 25 API calls 4331->4333 4332 40185c 4334 40517e 25 API calls 4332->4334 4342 401871 4332->4342 4336 40188f 4333->4336 4334->4342 4335 40601f lstrcpynW 4335->4351 4354 403027 4336->4354 4339 4018b6 SetFileTime 4341 4018c8 FindCloseChangeNotification 4339->4341 4340 406041 18 API calls 4340->4351 4341->4342 4343 4018d9 4341->4343 4344 4018f1 4343->4344 4345 4018de 4343->4345 4346 406041 18 API calls 4344->4346 4347 406041 18 API calls 4345->4347 4348 4018f9 4346->4348 4350 4018e6 lstrcatW 4347->4350 4352 405764 MessageBoxIndirectW 4348->4352 4350->4348 4351->4327 4351->4330 4351->4331 4351->4332 4351->4335 4351->4340 4353 405bf4 GetFileAttributesW CreateFileW 4351->4353 4380 406362 FindFirstFileW 4351->4380 4386 405764 4351->4386 4352->4342 4353->4351 4356 403040 4354->4356 4355 40306b 4390 40320c 4355->4390 4356->4355 4400 403222 SetFilePointer 4356->4400 4360 403088 GetTickCount 4371 40309b 4360->4371 4361 4031ac 4362 4031b0 4361->4362 4367 4031c8 4361->4367 4364 40320c ReadFile 4362->4364 4363 4018a2 4363->4339 4363->4341 4364->4363 4365 40320c ReadFile 4365->4367 4366 40320c ReadFile 4366->4371 4367->4363 4367->4365 4368 405ca6 WriteFile 4367->4368 4368->4367 4370 403101 GetTickCount 4370->4371 4371->4363 4371->4366 4371->4370 4372 40312a MulDiv wsprintfW 4371->4372 4374 405ca6 WriteFile 4371->4374 4393 406534 4371->4393 4373 40517e 25 API calls 4372->4373 4373->4371 4374->4371 4375->4321 4376->4322 4378 4017a7 lstrcatW 4377->4378 4379 4059ef lstrcatW 4377->4379 4378->4321 4379->4378 4381 406378 FindClose 4380->4381 4382 406383 4380->4382 4381->4382 4382->4351 4384 405be1 SetFileAttributesW 4383->4384 4385 405bee 4383->4385 4384->4385 4385->4351 4387 405779 4386->4387 4388 4057c5 4387->4388 4389 40578d MessageBoxIndirectW 4387->4389 4388->4351 4389->4388 4391 405c77 ReadFile 4390->4391 4392 403076 4391->4392 4392->4360 4392->4361 4392->4363 4394 406559 4393->4394 4395 406561 4393->4395 4394->4371 4395->4394 4396 4065f1 GlobalAlloc 4395->4396 4397 4065e8 GlobalFree 4395->4397 4398 406668 GlobalAlloc 4395->4398 4399 40665f GlobalFree 4395->4399 4396->4394 4396->4395 4397->4396 4398->4394 4398->4395 4399->4398 4400->4355 5254 401ee9 5255 402bbf 18 API calls 5254->5255 5256 401ef0 5255->5256 5257 406362 2 API calls 5256->5257 5258 401ef6 5257->5258 5260 401f07 5258->5260 5261 405f66 wsprintfW 5258->5261 5261->5260 5262 100018a9 5264 100018cc 5262->5264 5263 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5266 10001272 2 API calls 5263->5266 5264->5263 5265 100018ff GlobalFree 5264->5265 5265->5263 5267 10001a87 GlobalFree GlobalFree 5266->5267 4404 40326a SetErrorMode GetVersion 4405 40329e 4404->4405 4406 4032a4 4404->4406 4407 4063f5 5 API calls 4405->4407 4495 406389 GetSystemDirectoryW 4406->4495 4407->4406 4409 4032bb 4410 406389 3 API calls 4409->4410 4411 4032c5 4410->4411 4412 406389 3 API calls 4411->4412 4413 4032cf 4412->4413 4498 4063f5 GetModuleHandleA 4413->4498 4416 4063f5 5 API calls 4417 4032dd #17 OleInitialize SHGetFileInfoW 4416->4417 4504 40601f lstrcpynW 4417->4504 4419 40331a GetCommandLineW 4505 40601f lstrcpynW 4419->4505 4421 40332c GetModuleHandleW 4422 403344 4421->4422 4423 405a00 CharNextW 4422->4423 4424 403353 CharNextW 4423->4424 4425 40347e GetTempPathW 4424->4425 4435 40336c 4424->4435 4506 403239 4425->4506 4427 403496 4428 4034f0 DeleteFileW 4427->4428 4429 40349a GetWindowsDirectoryW lstrcatW 4427->4429 4516 402dee GetTickCount GetModuleFileNameW 4428->4516 4430 403239 12 API calls 4429->4430 4433 4034b6 4430->4433 4431 405a00 CharNextW 4431->4435 4433->4428 4436 4034ba GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4433->4436 4434 403504 4442 405a00 CharNextW 4434->4442 4479 4035a7 4434->4479 4490 4035b7 4434->4490 4435->4431 4438 403469 4435->4438 4440 403467 4435->4440 4439 403239 12 API calls 4436->4439 4600 40601f lstrcpynW 4438->4600 4445 4034e8 4439->4445 4440->4425 4457 403523 4442->4457 4445->4428 4445->4490 4446 4036f2 4449 403776 ExitProcess 4446->4449 4450 4036fa GetCurrentProcess OpenProcessToken 4446->4450 4447 4035d2 4448 405764 MessageBoxIndirectW 4447->4448 4454 4035e0 ExitProcess 4448->4454 4455 403712 LookupPrivilegeValueW AdjustTokenPrivileges 4450->4455 4456 403746 4450->4456 4452 403581 4601 405adb 4452->4601 4453 4035e8 4624 4056e7 4453->4624 4455->4456 4460 4063f5 5 API calls 4456->4460 4457->4452 4457->4453 4469 40374d 4460->4469 4462 403762 ExitWindowsEx 4462->4449 4466 40376f 4462->4466 4464 403609 lstrcatW lstrcmpiW 4468 403625 4464->4468 4464->4490 4465 4035fe lstrcatW 4465->4464 4641 40140b 4466->4641 4472 403631 4468->4472 4473 40362a 4468->4473 4469->4462 4469->4466 4471 40359c 4616 40601f lstrcpynW 4471->4616 4632 4056ca CreateDirectoryW 4472->4632 4627 40564d CreateDirectoryW 4473->4627 4478 403636 SetCurrentDirectoryW 4480 403651 4478->4480 4481 403646 4478->4481 4544 403868 4479->4544 4636 40601f lstrcpynW 4480->4636 4635 40601f lstrcpynW 4481->4635 4484 406041 18 API calls 4485 403690 DeleteFileW 4484->4485 4486 40369d CopyFileW 4485->4486 4492 40365f 4485->4492 4486->4492 4487 4036e6 4488 405ec0 38 API calls 4487->4488 4488->4490 4617 40378e 4490->4617 4491 406041 18 API calls 4491->4492 4492->4484 4492->4487 4492->4491 4493 4056ff 2 API calls 4492->4493 4494 4036d1 CloseHandle 4492->4494 4637 405ec0 MoveFileExW 4492->4637 4493->4492 4494->4492 4496 4063ab wsprintfW LoadLibraryW 4495->4496 4496->4409 4499 406411 4498->4499 4500 40641b GetProcAddress 4498->4500 4501 406389 3 API calls 4499->4501 4502 4032d6 4500->4502 4503 406417 4501->4503 4502->4416 4503->4500 4503->4502 4504->4419 4505->4421 4507 4062b3 5 API calls 4506->4507 4508 403245 4507->4508 4509 40324f 4508->4509 4510 4059d3 3 API calls 4508->4510 4509->4427 4511 403257 4510->4511 4512 4056ca 2 API calls 4511->4512 4513 40325d 4512->4513 4644 405c23 4513->4644 4648 405bf4 GetFileAttributesW CreateFileW 4516->4648 4518 402e2e 4535 402e3e 4518->4535 4649 40601f lstrcpynW 4518->4649 4520 402e54 4650 405a1f lstrlenW 4520->4650 4524 402e65 GetFileSize 4540 402f61 4524->4540 4543 402e7c 4524->4543 4526 402f6a 4528 402f9a GlobalAlloc 4526->4528 4526->4535 4667 403222 SetFilePointer 4526->4667 4527 40320c ReadFile 4527->4543 4666 403222 SetFilePointer 4528->4666 4530 402fcd 4532 402d8a 6 API calls 4530->4532 4532->4535 4533 402f83 4536 40320c ReadFile 4533->4536 4534 402fb5 4537 403027 36 API calls 4534->4537 4535->4434 4538 402f8e 4536->4538 4541 402fc1 4537->4541 4538->4528 4538->4535 4539 402d8a 6 API calls 4539->4543 4655 402d8a 4540->4655 4541->4535 4541->4541 4542 402ffe SetFilePointer 4541->4542 4542->4535 4543->4527 4543->4530 4543->4535 4543->4539 4543->4540 4545 4063f5 5 API calls 4544->4545 4546 40387c 4545->4546 4547 403882 4546->4547 4548 403894 4546->4548 4684 405f66 wsprintfW 4547->4684 4549 405eec 3 API calls 4548->4549 4550 4038c4 4549->4550 4551 4038e3 lstrcatW 4550->4551 4553 405eec 3 API calls 4550->4553 4554 403892 4551->4554 4553->4551 4668 403b3e 4554->4668 4557 405adb 18 API calls 4558 403915 4557->4558 4559 4039a9 4558->4559 4561 405eec 3 API calls 4558->4561 4560 405adb 18 API calls 4559->4560 4562 4039af 4560->4562 4563 403947 4561->4563 4564 4039bf LoadImageW 4562->4564 4567 406041 18 API calls 4562->4567 4563->4559 4570 403968 lstrlenW 4563->4570 4574 405a00 CharNextW 4563->4574 4565 403a65 4564->4565 4566 4039e6 RegisterClassW 4564->4566 4569 40140b 2 API calls 4565->4569 4568 403a1c SystemParametersInfoW CreateWindowExW 4566->4568 4599 403a6f 4566->4599 4567->4564 4568->4565 4573 403a6b 4569->4573 4571 403976 lstrcmpiW 4570->4571 4572 40399c 4570->4572 4571->4572 4575 403986 GetFileAttributesW 4571->4575 4576 4059d3 3 API calls 4572->4576 4579 403b3e 19 API calls 4573->4579 4573->4599 4577 403965 4574->4577 4578 403992 4575->4578 4580 4039a2 4576->4580 4577->4570 4578->4572 4581 405a1f 2 API calls 4578->4581 4582 403a7c 4579->4582 4685 40601f lstrcpynW 4580->4685 4581->4572 4584 403a88 ShowWindow 4582->4584 4585 403b0b 4582->4585 4587 406389 3 API calls 4584->4587 4677 405251 OleInitialize 4585->4677 4589 403aa0 4587->4589 4588 403b11 4590 403b15 4588->4590 4591 403b2d 4588->4591 4592 403aae GetClassInfoW 4589->4592 4594 406389 3 API calls 4589->4594 4598 40140b 2 API calls 4590->4598 4590->4599 4593 40140b 2 API calls 4591->4593 4595 403ac2 GetClassInfoW RegisterClassW 4592->4595 4596 403ad8 DialogBoxParamW 4592->4596 4593->4599 4594->4592 4595->4596 4597 40140b 2 API calls 4596->4597 4597->4599 4598->4599 4599->4490 4600->4440 4694 40601f lstrcpynW 4601->4694 4603 405aec 4695 405a7e CharNextW CharNextW 4603->4695 4606 40358d 4606->4490 4615 40601f lstrcpynW 4606->4615 4607 4062b3 5 API calls 4613 405b02 4607->4613 4608 405b33 lstrlenW 4609 405b3e 4608->4609 4608->4613 4611 4059d3 3 API calls 4609->4611 4610 406362 2 API calls 4610->4613 4612 405b43 GetFileAttributesW 4611->4612 4612->4606 4613->4606 4613->4608 4613->4610 4614 405a1f 2 API calls 4613->4614 4614->4608 4615->4471 4616->4479 4618 4037a6 4617->4618 4619 403798 CloseHandle 4617->4619 4701 4037d3 4618->4701 4619->4618 4625 4063f5 5 API calls 4624->4625 4626 4035ed lstrcatW 4625->4626 4626->4464 4626->4465 4628 40362f 4627->4628 4629 40569e GetLastError 4627->4629 4628->4478 4629->4628 4630 4056ad SetFileSecurityW 4629->4630 4630->4628 4631 4056c3 GetLastError 4630->4631 4631->4628 4633 4056da 4632->4633 4634 4056de GetLastError 4632->4634 4633->4478 4634->4633 4635->4480 4636->4492 4638 405ee1 4637->4638 4639 405ed4 4637->4639 4638->4492 4754 405d4e lstrcpyW 4639->4754 4642 401389 2 API calls 4641->4642 4643 401420 4642->4643 4643->4449 4645 405c30 GetTickCount GetTempFileNameW 4644->4645 4646 403268 4645->4646 4647 405c66 4645->4647 4646->4427 4647->4645 4647->4646 4648->4518 4649->4520 4651 405a2d 4650->4651 4652 405a33 CharPrevW 4651->4652 4653 402e5a 4651->4653 4652->4651 4652->4653 4654 40601f lstrcpynW 4653->4654 4654->4524 4656 402d93 4655->4656 4657 402dab 4655->4657 4658 402da3 4656->4658 4659 402d9c DestroyWindow 4656->4659 4660 402db3 4657->4660 4661 402dbb GetTickCount 4657->4661 4658->4526 4659->4658 4664 406431 2 API calls 4660->4664 4662 402dc9 CreateDialogParamW ShowWindow 4661->4662 4663 402dec 4661->4663 4662->4663 4663->4526 4665 402db9 4664->4665 4665->4526 4666->4534 4667->4533 4669 403b52 4668->4669 4686 405f66 wsprintfW 4669->4686 4671 403bc3 4672 406041 18 API calls 4671->4672 4673 403bcf SetWindowTextW 4672->4673 4674 4038f3 4673->4674 4675 403beb 4673->4675 4674->4557 4675->4674 4676 406041 18 API calls 4675->4676 4676->4675 4687 40412f 4677->4687 4679 405274 4682 40529b 4679->4682 4690 401389 4679->4690 4680 40412f SendMessageW 4681 4052ad OleUninitialize 4680->4681 4681->4588 4682->4680 4684->4554 4685->4559 4686->4671 4688 404147 4687->4688 4689 404138 SendMessageW 4687->4689 4688->4679 4689->4688 4692 401390 4690->4692 4691 4013fe 4691->4679 4692->4691 4693 4013cb MulDiv SendMessageW 4692->4693 4693->4692 4694->4603 4696 405a9b 4695->4696 4700 405aad 4695->4700 4698 405aa8 CharNextW 4696->4698 4696->4700 4697 405ad1 4697->4606 4697->4607 4698->4697 4699 405a00 CharNextW 4699->4700 4700->4697 4700->4699 4702 4037e1 4701->4702 4703 4037ab 4702->4703 4704 4037e6 FreeLibrary GlobalFree 4702->4704 4705 405810 4703->4705 4704->4703 4704->4704 4706 405adb 18 API calls 4705->4706 4707 405830 4706->4707 4708 405838 DeleteFileW 4707->4708 4709 40584f 4707->4709 4710 4035c0 OleUninitialize 4708->4710 4712 40597a 4709->4712 4744 40601f lstrcpynW 4709->4744 4710->4446 4710->4447 4712->4710 4718 406362 2 API calls 4712->4718 4713 405875 4714 405888 4713->4714 4715 40587b lstrcatW 4713->4715 4717 405a1f 2 API calls 4714->4717 4716 40588e 4715->4716 4719 40589e lstrcatW 4716->4719 4721 4058a9 lstrlenW FindFirstFileW 4716->4721 4717->4716 4720 405994 4718->4720 4719->4721 4720->4710 4722 405998 4720->4722 4723 40596f 4721->4723 4742 4058cb 4721->4742 4724 4059d3 3 API calls 4722->4724 4723->4712 4725 40599e 4724->4725 4727 4057c8 5 API calls 4725->4727 4726 405952 FindNextFileW 4729 405968 FindClose 4726->4729 4726->4742 4730 4059aa 4727->4730 4729->4723 4731 4059c4 4730->4731 4732 4059ae 4730->4732 4734 40517e 25 API calls 4731->4734 4732->4710 4735 40517e 25 API calls 4732->4735 4734->4710 4737 4059bb 4735->4737 4736 405810 62 API calls 4736->4742 4738 405ec0 38 API calls 4737->4738 4740 4059c2 4738->4740 4739 40517e 25 API calls 4739->4726 4740->4710 4741 40517e 25 API calls 4741->4742 4742->4726 4742->4736 4742->4739 4742->4741 4743 405ec0 38 API calls 4742->4743 4745 40601f lstrcpynW 4742->4745 4746 4057c8 4742->4746 4743->4742 4744->4713 4745->4742 4747 405bcf 2 API calls 4746->4747 4748 4057d4 4747->4748 4749 4057e3 RemoveDirectoryW 4748->4749 4750 4057eb DeleteFileW 4748->4750 4751 4057f5 4748->4751 4752 4057f1 4749->4752 4750->4752 4751->4742 4752->4751 4753 405801 SetFileAttributesW 4752->4753 4753->4751 4755 405d76 4754->4755 4756 405d9c GetShortPathNameW 4754->4756 4781 405bf4 GetFileAttributesW CreateFileW 4755->4781 4758 405db1 4756->4758 4759 405ebb 4756->4759 4758->4759 4761 405db9 wsprintfA 4758->4761 4759->4638 4760 405d80 CloseHandle GetShortPathNameW 4760->4759 4762 405d94 4760->4762 4763 406041 18 API calls 4761->4763 4762->4756 4762->4759 4764 405de1 4763->4764 4782 405bf4 GetFileAttributesW CreateFileW 4764->4782 4766 405dee 4766->4759 4767 405dfd GetFileSize GlobalAlloc 4766->4767 4768 405eb4 CloseHandle 4767->4768 4769 405e1f 4767->4769 4768->4759 4770 405c77 ReadFile 4769->4770 4771 405e27 4770->4771 4771->4768 4783 405b59 lstrlenA 4771->4783 4774 405e52 4776 405b59 4 API calls 4774->4776 4775 405e3e lstrcpyA 4777 405e60 4775->4777 4776->4777 4778 405e97 SetFilePointer 4777->4778 4779 405ca6 WriteFile 4778->4779 4780 405ead GlobalFree 4779->4780 4780->4768 4781->4760 4782->4766 4784 405b9a lstrlenA 4783->4784 4785 405ba2 4784->4785 4786 405b73 lstrcmpiA 4784->4786 4785->4774 4785->4775 4786->4785 4787 405b91 CharNextA 4786->4787 4787->4784 4788 4021ea 4789 402bbf 18 API calls 4788->4789 4790 4021f0 4789->4790 4791 402bbf 18 API calls 4790->4791 4792 4021f9 4791->4792 4793 402bbf 18 API calls 4792->4793 4794 402202 4793->4794 4795 406362 2 API calls 4794->4795 4796 40220b 4795->4796 4797 40221c lstrlenW lstrlenW 4796->4797 4802 40220f 4796->4802 4798 40517e 25 API calls 4797->4798 4801 40225a SHFileOperationW 4798->4801 4799 40517e 25 API calls 4800 402217 4799->4800 4801->4800 4801->4802 4802->4799 4802->4800 5268 40156b 5269 401584 5268->5269 5270 40157b ShowWindow 5268->5270 5271 401592 ShowWindow 5269->5271 5272 402a4c 5269->5272 5270->5269 5271->5272 5280 40226e 5281 402288 5280->5281 5282 402275 5280->5282 5283 406041 18 API calls 5282->5283 5284 402282 5283->5284 5285 405764 MessageBoxIndirectW 5284->5285 5285->5281 5286 4014f1 SetForegroundWindow 5287 402a4c 5286->5287 5288 4050f2 5289 405102 5288->5289 5290 405116 5288->5290 5291 40515f 5289->5291 5292 405108 5289->5292 5293 40511e IsWindowVisible 5290->5293 5299 405135 5290->5299 5294 405164 CallWindowProcW 5291->5294 5295 40412f SendMessageW 5292->5295 5293->5291 5296 40512b 5293->5296 5298 405112 5294->5298 5295->5298 5301 404a48 SendMessageW 5296->5301 5299->5294 5306 404ac8 5299->5306 5302 404aa7 SendMessageW 5301->5302 5303 404a6b GetMessagePos ScreenToClient SendMessageW 5301->5303 5305 404a9f 5302->5305 5304 404aa4 5303->5304 5303->5305 5304->5302 5305->5299 5315 40601f lstrcpynW 5306->5315 5308 404adb 5316 405f66 wsprintfW 5308->5316 5310 404ae5 5311 40140b 2 API calls 5310->5311 5312 404aee 5311->5312 5317 40601f lstrcpynW 5312->5317 5314 404af5 5314->5291 5315->5308 5316->5310 5317->5314 5318 401673 5319 402bbf 18 API calls 5318->5319 5320 40167a 5319->5320 5321 402bbf 18 API calls 5320->5321 5322 401683 5321->5322 5323 402bbf 18 API calls 5322->5323 5324 40168c MoveFileW 5323->5324 5325 40169f 5324->5325 5331 401698 5324->5331 5326 406362 2 API calls 5325->5326 5329 4021e1 5325->5329 5328 4016ae 5326->5328 5327 401423 25 API calls 5327->5329 5328->5329 5330 405ec0 38 API calls 5328->5330 5330->5331 5331->5327 5332 100016b6 5333 100016e5 5332->5333 5334 10001b18 22 API calls 5333->5334 5335 100016ec 5334->5335 5336 100016f3 5335->5336 5337 100016ff 5335->5337 5338 10001272 2 API calls 5336->5338 5339 10001726 5337->5339 5340 10001709 5337->5340 5341 100016fd 5338->5341 5343 10001750 5339->5343 5344 1000172c 5339->5344 5342 1000153d 3 API calls 5340->5342 5346 1000170e 5342->5346 5345 1000153d 3 API calls 5343->5345 5347 100015b4 3 API calls 5344->5347 5345->5341 5348 100015b4 3 API calls 5346->5348 5349 10001731 5347->5349 5350 10001714 5348->5350 5351 10001272 2 API calls 5349->5351 5353 10001272 2 API calls 5350->5353 5352 10001737 GlobalFree 5351->5352 5352->5341 5354 1000174b GlobalFree 5352->5354 5355 1000171a GlobalFree 5353->5355 5354->5341 5355->5341 5356 4041f7 lstrcpynW lstrlenW 5357 10002238 5358 10002296 5357->5358 5359 100022cc 5357->5359 5358->5359 5360 100022a8 GlobalAlloc 5358->5360 5360->5358 5361 404afa GetDlgItem GetDlgItem 5362 404b4c 7 API calls 5361->5362 5370 404d65 5361->5370 5363 404be2 SendMessageW 5362->5363 5364 404bef DeleteObject 5362->5364 5363->5364 5365 404bf8 5364->5365 5366 404c2f 5365->5366 5369 406041 18 API calls 5365->5369 5367 4040e3 19 API calls 5366->5367 5371 404c43 5367->5371 5368 404ef5 5373 404f07 5368->5373 5374 404eff SendMessageW 5368->5374 5375 404c11 SendMessageW SendMessageW 5369->5375 5372 404e49 5370->5372 5376 404a48 5 API calls 5370->5376 5393 404dd6 5370->5393 5377 4040e3 19 API calls 5371->5377 5372->5368 5378 404ea2 SendMessageW 5372->5378 5401 404d58 5372->5401 5381 404f20 5373->5381 5382 404f19 ImageList_Destroy 5373->5382 5395 404f30 5373->5395 5374->5373 5375->5365 5376->5393 5394 404c51 5377->5394 5384 404eb7 SendMessageW 5378->5384 5378->5401 5379 40414a 8 API calls 5385 4050eb 5379->5385 5380 404e3b SendMessageW 5380->5372 5386 404f29 GlobalFree 5381->5386 5381->5395 5382->5381 5383 40509f 5390 4050b1 ShowWindow GetDlgItem ShowWindow 5383->5390 5383->5401 5388 404eca 5384->5388 5386->5395 5387 404d26 GetWindowLongW SetWindowLongW 5389 404d3f 5387->5389 5399 404edb SendMessageW 5388->5399 5391 404d45 ShowWindow 5389->5391 5392 404d5d 5389->5392 5390->5401 5412 404118 SendMessageW 5391->5412 5413 404118 SendMessageW 5392->5413 5393->5372 5393->5380 5394->5387 5398 404ca1 SendMessageW 5394->5398 5400 404d20 5394->5400 5402 404cdd SendMessageW 5394->5402 5403 404cee SendMessageW 5394->5403 5395->5383 5404 404ac8 4 API calls 5395->5404 5408 404f6b 5395->5408 5398->5394 5399->5368 5400->5387 5400->5389 5401->5379 5402->5394 5403->5394 5404->5408 5405 405075 InvalidateRect 5405->5383 5406 40508b 5405->5406 5414 404a03 5406->5414 5407 404f99 SendMessageW 5411 404faf 5407->5411 5408->5407 5408->5411 5410 405023 SendMessageW SendMessageW 5410->5411 5411->5405 5411->5410 5412->5401 5413->5370 5417 40493a 5414->5417 5416 404a18 5416->5383 5418 404953 5417->5418 5419 406041 18 API calls 5418->5419 5420 4049b7 5419->5420 5421 406041 18 API calls 5420->5421 5422 4049c2 5421->5422 5423 406041 18 API calls 5422->5423 5424 4049d8 lstrlenW wsprintfW SetDlgItemTextW 5423->5424 5424->5416 5425 401cfa GetDlgItem GetClientRect 5426 402bbf 18 API calls 5425->5426 5427 401d2c LoadImageW SendMessageW 5426->5427 5428 401d4a DeleteObject 5427->5428 5429 402a4c 5427->5429 5428->5429 4937 40237b 4938 402381 4937->4938 4939 402bbf 18 API calls 4938->4939 4940 402393 4939->4940 4941 402bbf 18 API calls 4940->4941 4942 40239d RegCreateKeyExW 4941->4942 4943 4023c7 4942->4943 4945 40281e 4942->4945 4944 4023e2 4943->4944 4946 402bbf 18 API calls 4943->4946 4947 4023ee 4944->4947 4949 402ba2 18 API calls 4944->4949 4948 4023d8 lstrlenW 4946->4948 4950 402409 RegSetValueExW 4947->4950 4951 403027 36 API calls 4947->4951 4948->4944 4949->4947 4952 40241f RegCloseKey 4950->4952 4951->4950 4952->4945 4954 4027fb 4955 402bbf 18 API calls 4954->4955 4956 402802 FindFirstFileW 4955->4956 4957 40282a 4956->4957 4960 402815 4956->4960 4958 402833 4957->4958 4962 405f66 wsprintfW 4957->4962 4963 40601f lstrcpynW 4958->4963 4962->4958 4963->4960 5430 1000103d 5431 1000101b 5 API calls 5430->5431 5432 10001056 5431->5432 5433 40457e 5434 4045aa 5433->5434 5435 4045bb 5433->5435 5494 405748 GetDlgItemTextW 5434->5494 5436 4045c7 GetDlgItem 5435->5436 5443 404626 5435->5443 5439 4045db 5436->5439 5438 4045b5 5441 4062b3 5 API calls 5438->5441 5442 4045ef SetWindowTextW 5439->5442 5446 405a7e 4 API calls 5439->5446 5440 40470a 5492 4048b9 5440->5492 5496 405748 GetDlgItemTextW 5440->5496 5441->5435 5447 4040e3 19 API calls 5442->5447 5443->5440 5448 406041 18 API calls 5443->5448 5443->5492 5445 40414a 8 API calls 5450 4048cd 5445->5450 5451 4045e5 5446->5451 5452 40460b 5447->5452 5453 40469a SHBrowseForFolderW 5448->5453 5449 40473a 5454 405adb 18 API calls 5449->5454 5451->5442 5458 4059d3 3 API calls 5451->5458 5455 4040e3 19 API calls 5452->5455 5453->5440 5456 4046b2 CoTaskMemFree 5453->5456 5457 404740 5454->5457 5459 404619 5455->5459 5460 4059d3 3 API calls 5456->5460 5497 40601f lstrcpynW 5457->5497 5458->5442 5495 404118 SendMessageW 5459->5495 5462 4046bf 5460->5462 5465 4046f6 SetDlgItemTextW 5462->5465 5469 406041 18 API calls 5462->5469 5464 40461f 5467 4063f5 5 API calls 5464->5467 5465->5440 5466 404757 5468 4063f5 5 API calls 5466->5468 5467->5443 5476 40475e 5468->5476 5470 4046de lstrcmpiW 5469->5470 5470->5465 5472 4046ef lstrcatW 5470->5472 5471 40479f 5498 40601f lstrcpynW 5471->5498 5472->5465 5474 4047a6 5475 405a7e 4 API calls 5474->5475 5477 4047ac GetDiskFreeSpaceW 5475->5477 5476->5471 5480 405a1f 2 API calls 5476->5480 5481 4047f7 5476->5481 5479 4047d0 MulDiv 5477->5479 5477->5481 5479->5481 5480->5476 5482 404a03 21 API calls 5481->5482 5483 404868 5481->5483 5485 404855 5482->5485 5484 40488b 5483->5484 5486 40140b 2 API calls 5483->5486 5499 404105 KiUserCallbackDispatcher 5484->5499 5487 40486a SetDlgItemTextW 5485->5487 5488 40485a 5485->5488 5486->5484 5487->5483 5490 40493a 21 API calls 5488->5490 5490->5483 5491 4048a7 5491->5492 5500 404513 5491->5500 5492->5445 5494->5438 5495->5464 5496->5449 5497->5466 5498->5474 5499->5491 5501 404521 5500->5501 5502 404526 SendMessageW 5500->5502 5501->5502 5502->5492 5503 4014ff 5504 401507 5503->5504 5505 40151a 5503->5505 5506 402ba2 18 API calls 5504->5506 5506->5505 5507 401000 5508 401037 BeginPaint GetClientRect 5507->5508 5509 40100c DefWindowProcW 5507->5509 5511 4010f3 5508->5511 5512 401179 5509->5512 5513 401073 CreateBrushIndirect FillRect DeleteObject 5511->5513 5514 4010fc 5511->5514 5513->5511 5515 401102 CreateFontIndirectW 5514->5515 5516 401167 EndPaint 5514->5516 5515->5516 5517 401112 6 API calls 5515->5517 5516->5512 5517->5516 5518 404280 5519 404298 5518->5519 5523 4043b2 5518->5523 5524 4040e3 19 API calls 5519->5524 5520 40441c 5521 4044ee 5520->5521 5522 404426 GetDlgItem 5520->5522 5529 40414a 8 API calls 5521->5529 5525 404440 5522->5525 5526 4044af 5522->5526 5523->5520 5523->5521 5527 4043ed GetDlgItem SendMessageW 5523->5527 5528 4042ff 5524->5528 5525->5526 5534 404466 6 API calls 5525->5534 5526->5521 5530 4044c1 5526->5530 5549 404105 KiUserCallbackDispatcher 5527->5549 5532 4040e3 19 API calls 5528->5532 5533 4044e9 5529->5533 5535 4044d7 5530->5535 5536 4044c7 SendMessageW 5530->5536 5538 40430c CheckDlgButton 5532->5538 5534->5526 5535->5533 5539 4044dd SendMessageW 5535->5539 5536->5535 5537 404417 5540 404513 SendMessageW 5537->5540 5547 404105 KiUserCallbackDispatcher 5538->5547 5539->5533 5540->5520 5542 40432a GetDlgItem 5548 404118 SendMessageW 5542->5548 5544 404340 SendMessageW 5545 404366 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5544->5545 5546 40435d GetSysColor 5544->5546 5545->5533 5546->5545 5547->5542 5548->5544 5549->5537 5557 401904 5558 40193b 5557->5558 5559 402bbf 18 API calls 5558->5559 5560 401940 5559->5560 5561 405810 69 API calls 5560->5561 5562 401949 5561->5562 5563 402d04 5564 402d16 SetTimer 5563->5564 5565 402d2f 5563->5565 5564->5565 5566 402d84 5565->5566 5567 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5565->5567 5567->5566 4305 402786 4306 40278d 4305->4306 4308 4029f7 4305->4308 4307 402ba2 18 API calls 4306->4307 4309 402798 4307->4309 4310 40279f SetFilePointer 4309->4310 4310->4308 4311 4027af 4310->4311 4313 405f66 wsprintfW 4311->4313 4313->4308 4401 100027c7 4402 10002817 4401->4402 4403 100027d7 VirtualProtect 4401->4403 4403->4402 5568 401907 5569 402bbf 18 API calls 5568->5569 5570 40190e 5569->5570 5571 405764 MessageBoxIndirectW 5570->5571 5572 401917 5571->5572 5573 401e08 5574 402bbf 18 API calls 5573->5574 5575 401e0e 5574->5575 5576 402bbf 18 API calls 5575->5576 5577 401e17 5576->5577 5578 402bbf 18 API calls 5577->5578 5579 401e20 5578->5579 5580 402bbf 18 API calls 5579->5580 5581 401e29 5580->5581 5582 401423 25 API calls 5581->5582 5583 401e30 ShellExecuteW 5582->5583 5584 401e61 5583->5584 4803 403c0b 4804 403c23 4803->4804 4805 403d5e 4803->4805 4804->4805 4806 403c2f 4804->4806 4807 403daf 4805->4807 4808 403d6f GetDlgItem GetDlgItem 4805->4808 4809 403c3a SetWindowPos 4806->4809 4810 403c4d 4806->4810 4812 403e09 4807->4812 4820 401389 2 API calls 4807->4820 4811 4040e3 19 API calls 4808->4811 4809->4810 4813 403c52 ShowWindow 4810->4813 4814 403c6a 4810->4814 4815 403d99 SetClassLongW 4811->4815 4816 40412f SendMessageW 4812->4816 4833 403d59 4812->4833 4813->4814 4817 403c72 DestroyWindow 4814->4817 4818 403c8c 4814->4818 4819 40140b 2 API calls 4815->4819 4847 403e1b 4816->4847 4872 40406c 4817->4872 4821 403c91 SetWindowLongW 4818->4821 4822 403ca2 4818->4822 4819->4807 4823 403de1 4820->4823 4821->4833 4826 403d4b 4822->4826 4827 403cae GetDlgItem 4822->4827 4823->4812 4828 403de5 SendMessageW 4823->4828 4824 40140b 2 API calls 4824->4847 4825 40406e DestroyWindow EndDialog 4825->4872 4882 40414a 4826->4882 4830 403cc1 SendMessageW IsWindowEnabled 4827->4830 4831 403cde 4827->4831 4828->4833 4829 40409d ShowWindow 4829->4833 4830->4831 4830->4833 4835 403ce3 4831->4835 4836 403ceb 4831->4836 4837 403d32 SendMessageW 4831->4837 4838 403cfe 4831->4838 4834 406041 18 API calls 4834->4847 4879 4040bc 4835->4879 4836->4835 4836->4837 4837->4826 4840 403d06 4838->4840 4841 403d1b 4838->4841 4843 40140b 2 API calls 4840->4843 4844 40140b 2 API calls 4841->4844 4842 403d19 4842->4826 4843->4835 4846 403d22 4844->4846 4845 4040e3 19 API calls 4845->4847 4846->4826 4846->4835 4847->4824 4847->4825 4847->4833 4847->4834 4847->4845 4863 403fae DestroyWindow 4847->4863 4873 4040e3 4847->4873 4849 403e96 GetDlgItem 4850 403eb3 ShowWindow KiUserCallbackDispatcher 4849->4850 4851 403eab 4849->4851 4876 404105 KiUserCallbackDispatcher 4850->4876 4851->4850 4853 403edd EnableWindow 4856 403ef1 4853->4856 4854 403ef6 GetSystemMenu EnableMenuItem SendMessageW 4855 403f26 SendMessageW 4854->4855 4854->4856 4855->4856 4856->4854 4877 404118 SendMessageW 4856->4877 4878 40601f lstrcpynW 4856->4878 4859 403f54 lstrlenW 4860 406041 18 API calls 4859->4860 4861 403f6a SetWindowTextW 4860->4861 4862 401389 2 API calls 4861->4862 4862->4847 4864 403fc8 CreateDialogParamW 4863->4864 4863->4872 4865 403ffb 4864->4865 4864->4872 4866 4040e3 19 API calls 4865->4866 4867 404006 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4866->4867 4868 401389 2 API calls 4867->4868 4869 40404c 4868->4869 4869->4833 4870 404054 ShowWindow 4869->4870 4871 40412f SendMessageW 4870->4871 4871->4872 4872->4829 4872->4833 4874 406041 18 API calls 4873->4874 4875 4040ee SetDlgItemTextW 4874->4875 4875->4849 4876->4853 4877->4856 4878->4859 4880 4040c3 4879->4880 4881 4040c9 SendMessageW 4879->4881 4880->4881 4881->4842 4883 404162 GetWindowLongW 4882->4883 4893 4041eb 4882->4893 4884 404173 4883->4884 4883->4893 4885 404182 GetSysColor 4884->4885 4886 404185 4884->4886 4885->4886 4887 404195 SetBkMode 4886->4887 4888 40418b SetTextColor 4886->4888 4889 4041b3 4887->4889 4890 4041ad GetSysColor 4887->4890 4888->4887 4891 4041c4 4889->4891 4892 4041ba SetBkColor 4889->4892 4890->4889 4891->4893 4894 4041d7 DeleteObject 4891->4894 4895 4041de CreateBrushIndirect 4891->4895 4892->4891 4893->4833 4894->4895 4895->4893 5590 1000164f 5591 10001516 GlobalFree 5590->5591 5593 10001667 5591->5593 5592 100016ad GlobalFree 5593->5592 5594 10001682 5593->5594 5595 10001699 VirtualFree 5593->5595 5594->5592 5595->5592 5596 401491 5597 40517e 25 API calls 5596->5597 5598 401498 5597->5598 5599 401a15 5600 402bbf 18 API calls 5599->5600 5601 401a1e ExpandEnvironmentStringsW 5600->5601 5602 401a32 5601->5602 5604 401a45 5601->5604 5603 401a37 lstrcmpW 5602->5603 5602->5604 5603->5604 5605 402515 5606 402bbf 18 API calls 5605->5606 5607 40251c 5606->5607 5610 405bf4 GetFileAttributesW CreateFileW 5607->5610 5609 402528 5610->5609 5611 402095 5612 402bbf 18 API calls 5611->5612 5613 40209c 5612->5613 5614 402bbf 18 API calls 5613->5614 5615 4020a6 5614->5615 5616 402bbf 18 API calls 5615->5616 5617 4020b0 5616->5617 5618 402bbf 18 API calls 5617->5618 5619 4020ba 5618->5619 5620 402bbf 18 API calls 5619->5620 5621 4020c4 5620->5621 5622 402103 CoCreateInstance 5621->5622 5623 402bbf 18 API calls 5621->5623 5626 402122 5622->5626 5623->5622 5624 401423 25 API calls 5625 4021e1 5624->5625 5626->5624 5626->5625 5627 401b16 5628 402bbf 18 API calls 5627->5628 5629 401b1d 5628->5629 5630 402ba2 18 API calls 5629->5630 5631 401b26 wsprintfW 5630->5631 5632 402a4c 5631->5632 5633 10001058 5635 10001074 5633->5635 5634 100010dd 5635->5634 5636 10001516 GlobalFree 5635->5636 5637 10001092 5635->5637 5636->5637 5638 10001516 GlobalFree 5637->5638 5639 100010a2 5638->5639 5640 100010b2 5639->5640 5641 100010a9 GlobalSize 5639->5641 5642 100010b6 GlobalAlloc 5640->5642 5643 100010c7 5640->5643 5641->5640 5644 1000153d 3 API calls 5642->5644 5645 100010d2 GlobalFree 5643->5645 5644->5643 5645->5634 4964 40159b 4965 402bbf 18 API calls 4964->4965 4966 4015a2 SetFileAttributesW 4965->4966 4967 4015b4 4966->4967 4976 40229d 4977 4022a5 4976->4977 4979 4022ab 4976->4979 4978 402bbf 18 API calls 4977->4978 4978->4979 4980 402bbf 18 API calls 4979->4980 4981 4022b9 4979->4981 4980->4981 4982 402bbf 18 API calls 4981->4982 4984 4022c7 4981->4984 4982->4984 4983 402bbf 18 API calls 4985 4022d0 WritePrivateProfileStringW 4983->4985 4984->4983 5660 401f1d 5661 402bbf 18 API calls 5660->5661 5662 401f24 5661->5662 5663 4063f5 5 API calls 5662->5663 5664 401f33 5663->5664 5665 401fb7 5664->5665 5666 401f4f GlobalAlloc 5664->5666 5666->5665 5667 401f63 5666->5667 5668 4063f5 5 API calls 5667->5668 5669 401f6a 5668->5669 5670 4063f5 5 API calls 5669->5670 5671 401f74 5670->5671 5671->5665 5675 405f66 wsprintfW 5671->5675 5673 401fa9 5676 405f66 wsprintfW 5673->5676 5675->5673 5676->5665 5677 40149e 5678 402288 5677->5678 5679 4014ac PostQuitMessage 5677->5679 5679->5678 5680 40249e 5681 402cc9 19 API calls 5680->5681 5682 4024a8 5681->5682 5683 402ba2 18 API calls 5682->5683 5684 4024b1 5683->5684 5685 4024d5 RegEnumValueW 5684->5685 5686 4024c9 RegEnumKeyW 5684->5686 5688 40281e 5684->5688 5687 4024ee RegCloseKey 5685->5687 5685->5688 5686->5687 5687->5688 5036 40231f 5037 402324 5036->5037 5038 40234f 5036->5038 5059 402cc9 5037->5059 5039 402bbf 18 API calls 5038->5039 5042 402356 5039->5042 5041 40232b 5043 402335 5041->5043 5047 40236c 5041->5047 5048 402bff RegOpenKeyExW 5042->5048 5044 402bbf 18 API calls 5043->5044 5045 40233c RegDeleteValueW RegCloseKey 5044->5045 5045->5047 5049 402c93 5048->5049 5052 402c2a 5048->5052 5049->5047 5050 402c50 RegEnumKeyW 5051 402c62 RegCloseKey 5050->5051 5050->5052 5054 4063f5 5 API calls 5051->5054 5052->5050 5052->5051 5053 402c87 RegCloseKey 5052->5053 5055 402bff 5 API calls 5052->5055 5057 402c76 5053->5057 5056 402c72 5054->5056 5055->5052 5056->5057 5058 402ca2 RegDeleteKeyW 5056->5058 5057->5049 5058->5057 5060 402bbf 18 API calls 5059->5060 5061 402ce2 5060->5061 5062 402cf0 RegOpenKeyExW 5061->5062 5062->5041 5697 100010e1 5698 10001111 5697->5698 5699 100011d8 GlobalFree 5698->5699 5700 100012ba 2 API calls 5698->5700 5701 100011d3 5698->5701 5702 10001272 2 API calls 5698->5702 5703 10001164 GlobalAlloc 5698->5703 5704 100011f8 GlobalFree 5698->5704 5705 100011c4 GlobalFree 5698->5705 5706 100012e1 lstrcpyW 5698->5706 5700->5698 5701->5699 5702->5705 5703->5698 5704->5698 5705->5698 5706->5698 5707 401ca3 5708 402ba2 18 API calls 5707->5708 5709 401ca9 IsWindow 5708->5709 5710 401a05 5709->5710 5711 403826 5712 403831 5711->5712 5713 403838 GlobalAlloc 5712->5713 5714 403835 5712->5714 5713->5714 5715 402a27 SendMessageW 5716 402a41 InvalidateRect 5715->5716 5717 402a4c 5715->5717 5716->5717 5718 40242a 5719 402cc9 19 API calls 5718->5719 5720 402434 5719->5720 5721 402bbf 18 API calls 5720->5721 5722 40243d 5721->5722 5723 402448 RegQueryValueExW 5722->5723 5727 40281e 5722->5727 5724 40246e RegCloseKey 5723->5724 5725 402468 5723->5725 5724->5727 5725->5724 5729 405f66 wsprintfW 5725->5729 5729->5724 4896 40172d 4897 402bbf 18 API calls 4896->4897 4898 401734 SearchPathW 4897->4898 4899 40174f 4898->4899 5737 404231 lstrlenW 5738 404250 5737->5738 5739 404252 WideCharToMultiByte 5737->5739 5738->5739 5740 4027b4 5741 4027ba 5740->5741 5742 4027c2 FindClose 5741->5742 5743 402a4c 5741->5743 5742->5743 5744 404537 5745 404547 5744->5745 5746 40456d 5744->5746 5747 4040e3 19 API calls 5745->5747 5748 40414a 8 API calls 5746->5748 5749 404554 SetDlgItemTextW 5747->5749 5750 404579 5748->5750 5749->5746 5751 401b37 5752 401b44 5751->5752 5753 401b88 5751->5753 5759 401bcd 5752->5759 5760 401b5b 5752->5760 5754 401bb2 GlobalAlloc 5753->5754 5755 401b8d 5753->5755 5756 406041 18 API calls 5754->5756 5766 402288 5755->5766 5772 40601f lstrcpynW 5755->5772 5756->5759 5757 406041 18 API calls 5761 402282 5757->5761 5759->5757 5759->5766 5770 40601f lstrcpynW 5760->5770 5764 405764 MessageBoxIndirectW 5761->5764 5762 401b9f GlobalFree 5762->5766 5764->5766 5765 401b6a 5771 40601f lstrcpynW 5765->5771 5768 401b79 5773 40601f lstrcpynW 5768->5773 5770->5765 5771->5768 5772->5762 5773->5766 5774 402537 5775 402562 5774->5775 5776 40254b 5774->5776 5778 402596 5775->5778 5779 402567 5775->5779 5777 402ba2 18 API calls 5776->5777 5787 402552 5777->5787 5781 402bbf 18 API calls 5778->5781 5780 402bbf 18 API calls 5779->5780 5782 40256e WideCharToMultiByte lstrlenA 5780->5782 5783 40259d lstrlenW 5781->5783 5782->5787 5783->5787 5784 4025e0 5785 4025ca 5785->5784 5786 405ca6 WriteFile 5785->5786 5786->5784 5787->5784 5787->5785 5788 405cd5 5 API calls 5787->5788 5788->5785 5789 4014b8 5790 4014be 5789->5790 5791 401389 2 API calls 5790->5791 5792 4014c6 5791->5792 4917 4015b9 4918 402bbf 18 API calls 4917->4918 4919 4015c0 4918->4919 4920 405a7e 4 API calls 4919->4920 4932 4015c9 4920->4932 4921 401629 4922 40162e 4921->4922 4925 40165b 4921->4925 4924 401423 25 API calls 4922->4924 4923 405a00 CharNextW 4923->4932 4926 401635 4924->4926 4927 401423 25 API calls 4925->4927 4936 40601f lstrcpynW 4926->4936 4933 401653 4927->4933 4929 4056ca 2 API calls 4929->4932 4930 4056e7 5 API calls 4930->4932 4931 401642 SetCurrentDirectoryW 4931->4933 4932->4921 4932->4923 4932->4929 4932->4930 4934 40160f GetFileAttributesW 4932->4934 4935 40564d 4 API calls 4932->4935 4934->4932 4935->4932 4936->4931 5793 40293b 5794 402ba2 18 API calls 5793->5794 5795 402941 5794->5795 5796 402964 5795->5796 5797 40297d 5795->5797 5806 40281e 5795->5806 5800 402969 5796->5800 5801 40297a 5796->5801 5798 402993 5797->5798 5799 402987 5797->5799 5803 406041 18 API calls 5798->5803 5802 402ba2 18 API calls 5799->5802 5807 40601f lstrcpynW 5800->5807 5808 405f66 wsprintfW 5801->5808 5802->5806 5803->5806 5807->5806 5808->5806 4986 4052bd 4987 405467 4986->4987 4988 4052de GetDlgItem GetDlgItem GetDlgItem 4986->4988 4989 405470 GetDlgItem CreateThread FindCloseChangeNotification 4987->4989 4992 405498 4987->4992 5032 404118 SendMessageW 4988->5032 4989->4992 5035 405251 5 API calls 4989->5035 4991 4054c3 4996 405523 4991->4996 4997 4054cf 4991->4997 4992->4991 4994 4054e8 4992->4994 4995 4054af ShowWindow ShowWindow 4992->4995 4993 40534e 4998 405355 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4993->4998 5002 40414a 8 API calls 4994->5002 5034 404118 SendMessageW 4995->5034 4996->4994 5005 405531 SendMessageW 4996->5005 5000 4054d7 4997->5000 5001 4054fd ShowWindow 4997->5001 5003 4053c3 4998->5003 5004 4053a7 SendMessageW SendMessageW 4998->5004 5006 4040bc SendMessageW 5000->5006 5008 40551d 5001->5008 5009 40550f 5001->5009 5007 4054f6 5002->5007 5011 4053d6 5003->5011 5012 4053c8 SendMessageW 5003->5012 5004->5003 5005->5007 5013 40554a CreatePopupMenu 5005->5013 5006->4994 5010 4040bc SendMessageW 5008->5010 5014 40517e 25 API calls 5009->5014 5010->4996 5016 4040e3 19 API calls 5011->5016 5012->5011 5015 406041 18 API calls 5013->5015 5014->5008 5017 40555a AppendMenuW 5015->5017 5018 4053e6 5016->5018 5019 405577 GetWindowRect 5017->5019 5020 40558a TrackPopupMenu 5017->5020 5021 405423 GetDlgItem SendMessageW 5018->5021 5022 4053ef ShowWindow 5018->5022 5019->5020 5020->5007 5023 4055a5 5020->5023 5021->5007 5026 40544a SendMessageW SendMessageW 5021->5026 5024 405412 5022->5024 5025 405405 ShowWindow 5022->5025 5027 4055c1 SendMessageW 5023->5027 5033 404118 SendMessageW 5024->5033 5025->5024 5026->5007 5027->5027 5028 4055de OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5027->5028 5030 405603 SendMessageW 5028->5030 5030->5030 5031 40562c GlobalUnlock SetClipboardData CloseClipboard 5030->5031 5031->5007 5032->4993 5033->5021 5034->4991 5809 10002a7f 5810 10002a97 5809->5810 5811 1000158f 2 API calls 5810->5811 5812 10002ab2 5811->5812

                                                    Executed Functions

                                                    Function 0040326A Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 40326a-40329c SetErrorMode GetVersion 1 40329e-4032a6 call 4063f5 0->1 2 4032af-403342 call 406389 * 3 call 4063f5 * 2 #17 OleInitialize SHGetFileInfoW call 40601f GetCommandLineW call 40601f GetModuleHandleW 0->2 1->2 7 4032a8 1->7 20 403344-40334b 2->20 21 40334c-403366 call 405a00 CharNextW 2->21 7->2 20->21 24 40336c-403372 21->24 25 40347e-403498 GetTempPathW call 403239 21->25 27 403374-403379 24->27 28 40337b-403381 24->28 32 4034f0-40350a DeleteFileW call 402dee 25->32 33 40349a-4034b8 GetWindowsDirectoryW lstrcatW call 403239 25->33 27->27 27->28 30 403383-403387 28->30 31 403388-40338c 28->31 30->31 34 403392-403398 31->34 35 40344a-403457 call 405a00 31->35 53 403510-403516 32->53 54 4035bb-4035cc call 40378e OleUninitialize 32->54 33->32 50 4034ba-4034ea GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403239 33->50 39 4033b2-4033eb 34->39 40 40339a-4033a1 34->40 51 403459-40345a 35->51 52 40345b-403461 35->52 43 403408-403442 39->43 44 4033ed-4033f2 39->44 41 4033a3-4033a6 40->41 42 4033a8 40->42 41->39 41->42 42->39 43->35 49 403444-403448 43->49 44->43 48 4033f4-4033fc 44->48 56 403403 48->56 57 4033fe-403401 48->57 49->35 58 403469-403477 call 40601f 49->58 50->32 50->54 51->52 52->24 60 403467 52->60 61 4035ab-4035b2 call 403868 53->61 62 40351c-403527 call 405a00 53->62 71 4036f2-4036f8 54->71 72 4035d2-4035e2 call 405764 ExitProcess 54->72 56->43 57->43 57->56 68 40347c 58->68 60->68 70 4035b7 61->70 73 403575-40357f 62->73 74 403529-40355e 62->74 68->25 70->54 76 403776-40377e 71->76 77 4036fa-403710 GetCurrentProcess OpenProcessToken 71->77 81 403581-40358f call 405adb 73->81 82 4035e8-4035fc call 4056e7 lstrcatW 73->82 78 403560-403564 74->78 79 403780 76->79 80 403784-403788 ExitProcess 76->80 84 403712-403740 LookupPrivilegeValueW AdjustTokenPrivileges 77->84 85 403746-403754 call 4063f5 77->85 86 403566-40356b 78->86 87 40356d-403571 78->87 79->80 81->54 97 403591-4035a7 call 40601f * 2 81->97 98 403609-403623 lstrcatW lstrcmpiW 82->98 99 4035fe-403604 lstrcatW 82->99 84->85 95 403762-40376d ExitWindowsEx 85->95 96 403756-403760 85->96 86->87 91 403573 86->91 87->78 87->91 91->73 95->76 100 40376f-403771 call 40140b 95->100 96->95 96->100 97->61 98->54 102 403625-403628 98->102 99->98 100->76 106 403631 call 4056ca 102->106 107 40362a-40362f call 40564d 102->107 112 403636-403644 SetCurrentDirectoryW 106->112 107->112 114 403651-40367a call 40601f 112->114 115 403646-40364c call 40601f 112->115 119 40367f-40369b call 406041 DeleteFileW 114->119 115->114 122 4036dc-4036e4 119->122 123 40369d-4036ad CopyFileW 119->123 122->119 124 4036e6-4036ed call 405ec0 122->124 123->122 125 4036af-4036cf call 405ec0 call 406041 call 4056ff 123->125 124->54 125->122 134 4036d1-4036d8 CloseHandle 125->134 134->122
                                                    APIs
                                                    • SetErrorMode.KERNELBASE ref: 0040328C
                                                    • GetVersion.KERNEL32 ref: 00403292
                                                    • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032E2
                                                    • OleInitialize.OLE32(00000000), ref: 004032E9
                                                    • SHGetFileInfoW.SHELL32(004206C8,00000000,?,000002B4,00000000), ref: 00403305
                                                    • GetCommandLineW.KERNEL32(00428220,NSIS Error), ref: 0040331A
                                                    • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\t6V3uvyaAP.exe",00000000), ref: 0040332D
                                                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\t6V3uvyaAP.exe",00000020), ref: 00403354
                                                      • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                      • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348F
                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034A0
                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034AC
                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034C0
                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C8
                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D9
                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034E1
                                                    • DeleteFileW.KERNELBASE(1033), ref: 004034F5
                                                      • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                    • OleUninitialize.OLE32(?), ref: 004035C0
                                                    • ExitProcess.KERNEL32 ref: 004035E2
                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004035F5
                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C), ref: 00403604
                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040360F
                                                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\t6V3uvyaAP.exe",00000000,?), ref: 0040361B
                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403637
                                                    • DeleteFileW.KERNEL32(0041FEC8,0041FEC8,?,0042A000,?), ref: 00403691
                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\t6V3uvyaAP.exe,0041FEC8,00000001), ref: 004036A5
                                                    • CloseHandle.KERNEL32(00000000,0041FEC8,0041FEC8,?,0041FEC8,00000000), ref: 004036D2
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403701
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403708
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040371D
                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 00403740
                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403765
                                                    • ExitProcess.KERNEL32 ref: 00403788
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                                    • String ID: "C:\Users\user\Desktop\t6V3uvyaAP.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\outsplendour\urite$C:\Users\user\AppData\Local\outsplendour\urite\Kollegier$C:\Users\user\Desktop$C:\Users\user\Desktop\t6V3uvyaAP.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                                    • API String ID: 3586999533-3009568610
                                                    • Opcode ID: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                                    • Instruction ID: 47b2dd04bf5340fec55df09ad24e258ddf9dfe897e1895205e314fce2ef220c4
                                                    • Opcode Fuzzy Hash: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                                    • Instruction Fuzzy Hash: 08D12770604200BAD720BF659D49A3B3AACEB4170AF50487FF441B61D2DB7D9941CB6E
                                                    Function 004052BD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 135 4052bd-4052d8 136 405467-40546e 135->136 137 4052de-4053a5 GetDlgItem * 3 call 404118 call 404a1b GetClientRect GetSystemMetrics SendMessageW * 2 135->137 138 405470-405492 GetDlgItem CreateThread FindCloseChangeNotification 136->138 139 405498-4054a5 136->139 155 4053c3-4053c6 137->155 156 4053a7-4053c1 SendMessageW * 2 137->156 138->139 141 4054c3-4054cd 139->141 142 4054a7-4054ad 139->142 147 405523-405527 141->147 148 4054cf-4054d5 141->148 145 4054e8-4054f1 call 40414a 142->145 146 4054af-4054be ShowWindow * 2 call 404118 142->146 159 4054f6-4054fa 145->159 146->141 147->145 150 405529-40552f 147->150 152 4054d7-4054e3 call 4040bc 148->152 153 4054fd-40550d ShowWindow 148->153 150->145 157 405531-405544 SendMessageW 150->157 152->145 160 40551d-40551e call 4040bc 153->160 161 40550f-405518 call 40517e 153->161 163 4053d6-4053ed call 4040e3 155->163 164 4053c8-4053d4 SendMessageW 155->164 156->155 165 405646-405648 157->165 166 40554a-405575 CreatePopupMenu call 406041 AppendMenuW 157->166 160->147 161->160 174 405423-405444 GetDlgItem SendMessageW 163->174 175 4053ef-405403 ShowWindow 163->175 164->163 165->159 172 405577-405587 GetWindowRect 166->172 173 40558a-40559f TrackPopupMenu 166->173 172->173 173->165 176 4055a5-4055bc 173->176 174->165 179 40544a-405462 SendMessageW * 2 174->179 177 405412 175->177 178 405405-405410 ShowWindow 175->178 180 4055c1-4055dc SendMessageW 176->180 181 405418-40541e call 404118 177->181 178->181 179->165 180->180 182 4055de-405601 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 180->182 181->174 184 405603-40562a SendMessageW 182->184 184->184 185 40562c-405640 GlobalUnlock SetClipboardData CloseClipboard 184->185 185->165
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000403), ref: 0040531B
                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040532A
                                                    • GetClientRect.USER32(?,?), ref: 00405367
                                                    • GetSystemMetrics.USER32(00000002), ref: 0040536E
                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538F
                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053A0
                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053B3
                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053C1
                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053D4
                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F6
                                                    • ShowWindow.USER32(?,00000008), ref: 0040540A
                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040542B
                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040543B
                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405454
                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405460
                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405339
                                                      • Part of subcall function 00404118: SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040547D
                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005251,00000000), ref: 0040548B
                                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405492
                                                    • ShowWindow.USER32(00000000), ref: 004054B6
                                                    • ShowWindow.USER32(?,00000008), ref: 004054BB
                                                    • ShowWindow.USER32(00000008), ref: 00405505
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405539
                                                    • CreatePopupMenu.USER32 ref: 0040554A
                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040555E
                                                    • GetWindowRect.USER32(?,?), ref: 0040557E
                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405597
                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CF
                                                    • OpenClipboard.USER32(00000000), ref: 004055DF
                                                    • EmptyClipboard.USER32 ref: 004055E5
                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055F1
                                                    • GlobalLock.KERNEL32(00000000), ref: 004055FB
                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560F
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040562F
                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 0040563A
                                                    • CloseClipboard.USER32 ref: 00405640
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                    • String ID: {
                                                    • API String ID: 4154960007-366298937
                                                    • Opcode ID: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                    • Instruction ID: 3cf410e3b9716a944c4f9a47a0d896a4f96f7db2f8ccf501d1eae2c46102dad2
                                                    • Opcode Fuzzy Hash: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                    • Instruction Fuzzy Hash: 85B13A71900208FFDB21AF60DD85AAE7B79FB44355F40803AFA01BA1A0C7755E52DF69
                                                    Function 00406041 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 430 406041-40604c 431 40604e-40605d 430->431 432 40605f-406075 430->432 431->432 433 40607b-406088 432->433 434 40628d-406293 432->434 433->434 437 40608e-406095 433->437 435 406299-4062a4 434->435 436 40609a-4060a7 434->436 438 4062a6-4062aa call 40601f 435->438 439 4062af-4062b0 435->439 436->435 440 4060ad-4060b9 436->440 437->434 438->439 442 40627a 440->442 443 4060bf-4060fb 440->443 444 406288-40628b 442->444 445 40627c-406286 442->445 446 406101-40610c GetVersion 443->446 447 40621b-40621f 443->447 444->434 445->434 450 406126 446->450 451 40610e-406112 446->451 448 406221-406225 447->448 449 406254-406258 447->449 453 406235-406242 call 40601f 448->453 454 406227-406233 call 405f66 448->454 456 406267-406278 lstrlenW 449->456 457 40625a-406262 call 406041 449->457 455 40612d-406134 450->455 451->450 452 406114-406118 451->452 452->450 458 40611a-40611e 452->458 468 406247-406250 453->468 454->468 460 406136-406138 455->460 461 406139-40613b 455->461 456->434 457->456 458->450 464 406120-406124 458->464 460->461 466 406177-40617a 461->466 467 40613d-40615a call 405eec 461->467 464->455 471 40618a-40618d 466->471 472 40617c-406188 GetSystemDirectoryW 466->472 475 40615f-406163 467->475 468->456 470 406252 468->470 476 406213-406219 call 4062b3 470->476 473 4061f8-4061fa 471->473 474 40618f-40619d GetWindowsDirectoryW 471->474 477 4061fc-406200 472->477 473->477 478 40619f-4061a9 473->478 474->473 479 406202-406206 475->479 480 406169-406172 call 406041 475->480 476->456 477->476 477->479 482 4061c3-4061d9 SHGetSpecialFolderLocation 478->482 483 4061ab-4061ae 478->483 479->476 485 406208-40620e lstrcatW 479->485 480->477 488 4061f4 482->488 489 4061db-4061f2 SHGetPathFromIDListW CoTaskMemFree 482->489 483->482 487 4061b0-4061b7 483->487 485->476 491 4061bf-4061c1 487->491 488->473 489->477 489->488 491->477 491->482
                                                    APIs
                                                    • GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,?,004051B5,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,00000000,0040FEC0), ref: 00406104
                                                    • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406182
                                                    • GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406195
                                                    • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061D1
                                                    • SHGetPathFromIDListW.SHELL32(?,Call), ref: 004061DF
                                                    • CoTaskMemFree.OLE32(?), ref: 004061EA
                                                    • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040620E
                                                    • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,?,004051B5,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,00000000,0040FEC0), ref: 00406268
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                    • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                    • API String ID: 900638850-708825242
                                                    • Opcode ID: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                    • Instruction ID: fd30239bcabdd6b9b5dacf38e9278243e7343c89492a0aeb8152419411716c6f
                                                    • Opcode Fuzzy Hash: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                    • Instruction Fuzzy Hash: 70614771A00101ABDF209F64CC40AAE37A5AF51314F12817FE916BA2D1D73D89A2CB5E
                                                    Function 00405810 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 492 405810-405836 call 405adb 495 405838-40584a DeleteFileW 492->495 496 40584f-405856 492->496 497 4059cc-4059d0 495->497 498 405858-40585a 496->498 499 405869-405879 call 40601f 496->499 501 405860-405863 498->501 502 40597a-40597f 498->502 505 405888-405889 call 405a1f 499->505 506 40587b-405886 lstrcatW 499->506 501->499 501->502 502->497 504 405981-405984 502->504 507 405986-40598c 504->507 508 40598e-405996 call 406362 504->508 509 40588e-405892 505->509 506->509 507->497 508->497 516 405998-4059ac call 4059d3 call 4057c8 508->516 512 405894-40589c 509->512 513 40589e-4058a4 lstrcatW 509->513 512->513 515 4058a9-4058c5 lstrlenW FindFirstFileW 512->515 513->515 517 4058cb-4058d3 515->517 518 40596f-405973 515->518 534 4059c4-4059c7 call 40517e 516->534 535 4059ae-4059b1 516->535 521 4058f3-405907 call 40601f 517->521 522 4058d5-4058dd 517->522 518->502 520 405975 518->520 520->502 532 405909-405911 521->532 533 40591e-405929 call 4057c8 521->533 524 405952-405962 FindNextFileW 522->524 525 4058df-4058e7 522->525 524->517 528 405968-405969 FindClose 524->528 525->521 529 4058e9-4058f1 525->529 528->518 529->521 529->524 532->524 537 405913-40591c call 405810 532->537 545 40594a-40594d call 40517e 533->545 546 40592b-40592e 533->546 534->497 535->507 536 4059b3-4059c2 call 40517e call 405ec0 535->536 536->497 537->524 545->524 548 405930-405940 call 40517e call 405ec0 546->548 549 405942-405948 546->549 548->524 549->524
                                                    APIs
                                                    • DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\t6V3uvyaAP.exe"), ref: 00405839
                                                    • lstrcatW.KERNEL32(00424710,\*.*), ref: 00405881
                                                    • lstrcatW.KERNEL32(?,00409014), ref: 004058A4
                                                    • lstrlenW.KERNEL32(?,?,00409014,?,00424710,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\t6V3uvyaAP.exe"), ref: 004058AA
                                                    • FindFirstFileW.KERNEL32(00424710,?,?,?,00409014,?,00424710,?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\t6V3uvyaAP.exe"), ref: 004058BA
                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,00409300,0000002E), ref: 0040595A
                                                    • FindClose.KERNEL32(00000000), ref: 00405969
                                                    Strings
                                                    • "C:\Users\user\Desktop\t6V3uvyaAP.exe", xrefs: 00405819
                                                    • \*.*, xrefs: 0040587B
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040581D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                    • String ID: "C:\Users\user\Desktop\t6V3uvyaAP.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                    • API String ID: 2035342205-1884762611
                                                    • Opcode ID: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                                    • Instruction ID: d8405d9d0b65c0b5bb91e26b2d86fa163654aae1973f92c1c3fedea70a861e09
                                                    • Opcode Fuzzy Hash: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                                    • Instruction Fuzzy Hash: EA41F271800A18FACB21BB658C49BBF7A78EB81365F10817BF805711D1C77C4D919EAE
                                                    Function 004066E3 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                    • Instruction ID: 25739d06ab219284b51534763859987154442e2999ed31f69dfe775b8bf1d6bb
                                                    • Opcode Fuzzy Hash: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                    • Instruction Fuzzy Hash: 09F17671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                    Function 00406362 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(?,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405830,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                    • FindClose.KERNEL32(00000000), ref: 00406379
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID: XWB
                                                    • API String ID: 2295610775-4039527733
                                                    • Opcode ID: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                    • Instruction ID: b60ab41fd2821b41d0b392bba1ac2053f61c2dcbfada57179e30504603363e2d
                                                    • Opcode Fuzzy Hash: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                    • Instruction Fuzzy Hash: BBD0123194C1209FD3401778BD0C88B7B989B553317214B72FD2AF23E0C3388C6586D9
                                                    Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst
                                                    • String ID:
                                                    • API String ID: 1974802433-0
                                                    • Opcode ID: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
                                                    • Instruction ID: 5886dfe4bc611d4993f15ed40ae28ce81127269af5662ddb55851ccd49cbf6f1
                                                    • Opcode Fuzzy Hash: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
                                                    • Instruction Fuzzy Hash: 10F05E71A00115ABC711EFA4DD49AAEB378FF04324F1005BBF105E21E1D6B89A409B29
                                                    Function 00403C0B Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 186 403c0b-403c1d 187 403c23-403c29 186->187 188 403d5e-403d6d 186->188 187->188 189 403c2f-403c38 187->189 190 403dbc-403dd1 188->190 191 403d6f-403db7 GetDlgItem * 2 call 4040e3 SetClassLongW call 40140b 188->191 192 403c3a-403c47 SetWindowPos 189->192 193 403c4d-403c50 189->193 195 403e11-403e16 call 40412f 190->195 196 403dd3-403dd6 190->196 191->190 192->193 197 403c52-403c64 ShowWindow 193->197 198 403c6a-403c70 193->198 203 403e1b-403e36 195->203 200 403dd8-403de3 call 401389 196->200 201 403e09-403e0b 196->201 197->198 204 403c72-403c87 DestroyWindow 198->204 205 403c8c-403c8f 198->205 200->201 223 403de5-403e04 SendMessageW 200->223 201->195 208 4040b0 201->208 209 403e38-403e3a call 40140b 203->209 210 403e3f-403e45 203->210 212 40408d-404093 204->212 214 403c91-403c9d SetWindowLongW 205->214 215 403ca2-403ca8 205->215 211 4040b2-4040b9 208->211 209->210 219 403e4b-403e56 210->219 220 40406e-404087 DestroyWindow EndDialog 210->220 212->208 217 404095-40409b 212->217 214->211 221 403d4b-403d59 call 40414a 215->221 222 403cae-403cbf GetDlgItem 215->222 217->208 224 40409d-4040a6 ShowWindow 217->224 219->220 225 403e5c-403ea9 call 406041 call 4040e3 * 3 GetDlgItem 219->225 220->212 221->211 226 403cc1-403cd8 SendMessageW IsWindowEnabled 222->226 227 403cde-403ce1 222->227 223->211 224->208 256 403eb3-403eef ShowWindow KiUserCallbackDispatcher call 404105 EnableWindow 225->256 257 403eab-403eb0 225->257 226->208 226->227 231 403ce3-403ce4 227->231 232 403ce6-403ce9 227->232 234 403d14-403d19 call 4040bc 231->234 235 403cf7-403cfc 232->235 236 403ceb-403cf1 232->236 234->221 237 403d32-403d45 SendMessageW 235->237 238 403cfe-403d04 235->238 236->237 241 403cf3-403cf5 236->241 237->221 242 403d06-403d0c call 40140b 238->242 243 403d1b-403d24 call 40140b 238->243 241->234 252 403d12 242->252 243->221 253 403d26-403d30 243->253 252->234 253->252 260 403ef1-403ef2 256->260 261 403ef4 256->261 257->256 262 403ef6-403f24 GetSystemMenu EnableMenuItem SendMessageW 260->262 261->262 263 403f26-403f37 SendMessageW 262->263 264 403f39 262->264 265 403f3f-403f7d call 404118 call 40601f lstrlenW call 406041 SetWindowTextW call 401389 263->265 264->265 265->203 274 403f83-403f85 265->274 274->203 275 403f8b-403f8f 274->275 276 403f91-403f97 275->276 277 403fae-403fc2 DestroyWindow 275->277 276->208 278 403f9d-403fa3 276->278 277->212 279 403fc8-403ff5 CreateDialogParamW 277->279 278->203 280 403fa9 278->280 279->212 281 403ffb-404052 call 4040e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 279->281 280->208 281->208 286 404054-404067 ShowWindow call 40412f 281->286 288 40406c 286->288 288->212
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C47
                                                    • ShowWindow.USER32(?), ref: 00403C64
                                                    • DestroyWindow.USER32 ref: 00403C78
                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C94
                                                    • GetDlgItem.USER32(?,?), ref: 00403CB5
                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC9
                                                    • IsWindowEnabled.USER32(00000000), ref: 00403CD0
                                                    • GetDlgItem.USER32(?,00000001), ref: 00403D7E
                                                    • GetDlgItem.USER32(?,00000002), ref: 00403D88
                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00403DA2
                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DF3
                                                    • GetDlgItem.USER32(?,00000003), ref: 00403E99
                                                    • ShowWindow.USER32(00000000,?), ref: 00403EBA
                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ECC
                                                    • EnableWindow.USER32(?,?), ref: 00403EE7
                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFD
                                                    • EnableMenuItem.USER32(00000000), ref: 00403F04
                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F1C
                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2F
                                                    • lstrlenW.KERNEL32(00422708,?,00422708,00428220), ref: 00403F58
                                                    • SetWindowTextW.USER32(?,00422708), ref: 00403F6C
                                                    • ShowWindow.USER32(?,0000000A), ref: 004040A0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                    • String ID:
                                                    • API String ID: 3282139019-0
                                                    • Opcode ID: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                    • Instruction ID: 61cac7681639d4f9e887145b94be1570fe16d39d0a036e069046cfcd2a92ab20
                                                    • Opcode Fuzzy Hash: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                    • Instruction Fuzzy Hash: 3BC1C071A04200BBDB316F61ED84E2B3AACEB95705F50053EF601B11F1CB799992DB6E
                                                    Function 00403868 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 289 403868-403880 call 4063f5 292 403882-403892 call 405f66 289->292 293 403894-4038cb call 405eec 289->293 301 4038ee-403917 call 403b3e call 405adb 292->301 297 4038e3-4038e9 lstrcatW 293->297 298 4038cd-4038de call 405eec 293->298 297->301 298->297 307 4039a9-4039b1 call 405adb 301->307 308 40391d-403922 301->308 314 4039b3-4039ba call 406041 307->314 315 4039bf-4039e4 LoadImageW 307->315 308->307 309 403928-403942 call 405eec 308->309 313 403947-403950 309->313 313->307 318 403952-403956 313->318 314->315 316 403a65-403a6d call 40140b 315->316 317 4039e6-403a16 RegisterClassW 315->317 331 403a77-403a82 call 403b3e 316->331 332 403a6f-403a72 316->332 320 403b34 317->320 321 403a1c-403a60 SystemParametersInfoW CreateWindowExW 317->321 323 403968-403974 lstrlenW 318->323 324 403958-403965 call 405a00 318->324 329 403b36-403b3d 320->329 321->316 325 403976-403984 lstrcmpiW 323->325 326 40399c-4039a4 call 4059d3 call 40601f 323->326 324->323 325->326 330 403986-403990 GetFileAttributesW 325->330 326->307 335 403992-403994 330->335 336 403996-403997 call 405a1f 330->336 342 403a88-403aa2 ShowWindow call 406389 331->342 343 403b0b-403b0c call 405251 331->343 332->329 335->326 335->336 336->326 350 403aa4-403aa9 call 406389 342->350 351 403aae-403ac0 GetClassInfoW 342->351 346 403b11-403b13 343->346 348 403b15-403b1b 346->348 349 403b2d-403b2f call 40140b 346->349 348->332 352 403b21-403b28 call 40140b 348->352 349->320 350->351 355 403ac2-403ad2 GetClassInfoW RegisterClassW 351->355 356 403ad8-403afb DialogBoxParamW call 40140b 351->356 352->332 355->356 359 403b00-403b09 call 4037b8 356->359 359->329
                                                    APIs
                                                      • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                      • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                    • lstrcatW.KERNEL32(1033,00422708), ref: 004038E9
                                                    • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\outsplendour\urite,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,76233420), ref: 00403969
                                                    • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\outsplendour\urite,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000), ref: 0040397C
                                                    • GetFileAttributesW.KERNEL32(Call), ref: 00403987
                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\outsplendour\urite), ref: 004039D0
                                                      • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                    • RegisterClassW.USER32(004281C0), ref: 00403A0D
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A25
                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A5A
                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403A90
                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,004281C0), ref: 00403ABC
                                                    • GetClassInfoW.USER32(00000000,RichEdit,004281C0), ref: 00403AC9
                                                    • RegisterClassW.USER32(004281C0), ref: 00403AD2
                                                    • DialogBoxParamW.USER32(?,00000000,00403C0B,00000000), ref: 00403AF1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: "C:\Users\user\Desktop\t6V3uvyaAP.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\outsplendour\urite$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                    • API String ID: 1975747703-555651816
                                                    • Opcode ID: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                    • Instruction ID: 2be98759588b12f3ea5babf1b6ec1a1322f2c31473ef1d4f92accd895ea03b39
                                                    • Opcode Fuzzy Hash: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                    • Instruction Fuzzy Hash: C861A670644200BAD220AF669D45F3B3A6CEB84749F80457FF941B22E2CB7C6D01CA7E
                                                    Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 363 402dee-402e3c GetTickCount GetModuleFileNameW call 405bf4 366 402e48-402e76 call 40601f call 405a1f call 40601f GetFileSize 363->366 367 402e3e-402e43 363->367 375 402f63-402f71 call 402d8a 366->375 376 402e7c 366->376 368 403020-403024 367->368 382 402f73-402f76 375->382 383 402fc6-402fcb 375->383 378 402e81-402e98 376->378 380 402e9a 378->380 381 402e9c-402ea5 call 40320c 378->381 380->381 389 402eab-402eb2 381->389 390 402fcd-402fd5 call 402d8a 381->390 385 402f78-402f90 call 403222 call 40320c 382->385 386 402f9a-402fc4 GlobalAlloc call 403222 call 403027 382->386 383->368 385->383 409 402f92-402f98 385->409 386->383 414 402fd7-402fe8 386->414 394 402eb4-402ec8 call 405baf 389->394 395 402f2e-402f32 389->395 390->383 400 402f3c-402f42 394->400 412 402eca-402ed1 394->412 399 402f34-402f3b call 402d8a 395->399 395->400 399->400 405 402f51-402f5b 400->405 406 402f44-402f4e call 4064a6 400->406 405->378 413 402f61 405->413 406->405 409->383 409->386 412->400 418 402ed3-402eda 412->418 413->375 415 402ff0-402ff5 414->415 416 402fea 414->416 419 402ff6-402ffc 415->419 416->415 418->400 420 402edc-402ee3 418->420 419->419 422 402ffe-403019 SetFilePointer call 405baf 419->422 420->400 421 402ee5-402eec 420->421 421->400 423 402eee-402f0e 421->423 426 40301e 422->426 423->383 425 402f14-402f18 423->425 427 402f20-402f28 425->427 428 402f1a-402f1e 425->428 426->368 427->400 429 402f2a-402f2c 427->429 428->413 428->427 429->400
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00402DFF
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\t6V3uvyaAP.exe,00000400,?,?,00000000,00403504,?), ref: 00402E1B
                                                      • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\t6V3uvyaAP.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                      • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                    • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\t6V3uvyaAP.exe,C:\Users\user\Desktop\t6V3uvyaAP.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00402E67
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                    • String ID: "C:\Users\user\Desktop\t6V3uvyaAP.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\t6V3uvyaAP.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                    • API String ID: 4283519449-3156551276
                                                    • Opcode ID: b725974a6df1d82cb729a900034c9e7c9e4530fc883352e2762ffba139ff69ae
                                                    • Instruction ID: cad0cac5a7d3da6b721da94722abfb33afad8597fd9771d3107dd1117b6c1d4f
                                                    • Opcode Fuzzy Hash: b725974a6df1d82cb729a900034c9e7c9e4530fc883352e2762ffba139ff69ae
                                                    • Instruction Fuzzy Hash: EA51D471901216ABDB209F64DE89B9E7BB8EB04354F20407BF904F62D1C7BC9D419BAD
                                                    Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\outsplendour\urite\Kollegier,?,?,00000031), ref: 004017CD
                                                      • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                      • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                      • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                      • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00403160), ref: 004051D9
                                                      • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll), ref: 004051EB
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                    • String ID: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp$C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll$C:\Users\user\AppData\Local\outsplendour\urite\Kollegier$Call
                                                    • API String ID: 1941528284-362849067
                                                    • Opcode ID: 1af66f6b7640f5d51d4aa18a28294518de0f7505a6e023cac1eb676d37d1de9b
                                                    • Instruction ID: e39dfb19bb2720adffc224853af95c022162de9bd11196ce21bc9617d3384428
                                                    • Opcode Fuzzy Hash: 1af66f6b7640f5d51d4aa18a28294518de0f7505a6e023cac1eb676d37d1de9b
                                                    • Instruction Fuzzy Hash: 9041D571900515BACF20BFB5CC45DAF3679EF45328B20427BF422B50E2DB3C8A519A6D
                                                    Function 0040517E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 622 40517e-405193 623 405199-4051aa 622->623 624 40524a-40524e 622->624 625 4051b5-4051c1 lstrlenW 623->625 626 4051ac-4051b0 call 406041 623->626 628 4051c3-4051d3 lstrlenW 625->628 629 4051de-4051e2 625->629 626->625 628->624 630 4051d5-4051d9 lstrcatW 628->630 631 4051f1-4051f5 629->631 632 4051e4-4051eb SetWindowTextW 629->632 630->629 633 4051f7-405239 SendMessageW * 3 631->633 634 40523b-40523d 631->634 632->631 633->634 634->624 635 40523f-405242 634->635 635->624
                                                    APIs
                                                    • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                    • lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                    • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00403160), ref: 004051D9
                                                    • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll), ref: 004051EB
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                    • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll
                                                    • API String ID: 2531174081-3322584231
                                                    • Opcode ID: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                    • Instruction ID: 21bddbe199db3e121897d5596c22f00b0e76f5ccd37bc28327e30b1938552548
                                                    • Opcode Fuzzy Hash: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                    • Instruction Fuzzy Hash: 9E219D71900118BACB219FA5DD84ACFBFB9EF58350F14807AF904B62A0C7798A41CF68
                                                    Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 636 4025e5-4025fa call 402ba2 639 402600-402607 636->639 640 402a4c-402a4f 636->640 642 402609 639->642 643 40260c-40260f 639->643 641 402a55-402a5b 640->641 642->643 645 402773-40277b 643->645 646 402615-402624 call 405f7f 643->646 645->640 646->645 649 40262a 646->649 650 402630-402634 649->650 651 4026c9-4026cc 650->651 652 40263a-402655 ReadFile 650->652 654 4026e4-4026f4 call 405c77 651->654 655 4026ce-4026d1 651->655 652->645 653 40265b-402660 652->653 653->645 657 402666-402674 653->657 654->645 664 4026f6 654->664 655->654 658 4026d3-4026de call 405cd5 655->658 660 40267a-40268c MultiByteToWideChar 657->660 661 40272f-40273b call 405f66 657->661 658->645 658->654 660->664 665 40268e-402691 660->665 661->641 667 4026f9-4026fc 664->667 668 402693-40269e 665->668 667->661 670 4026fe-402703 667->670 668->667 671 4026a0-4026c5 SetFilePointer MultiByteToWideChar 668->671 672 402740-402744 670->672 673 402705-40270a 670->673 671->668 674 4026c7 671->674 676 402761-40276d SetFilePointer 672->676 677 402746-40274a 672->677 673->672 675 40270c-40271f 673->675 674->664 675->645 680 402721-402727 675->680 676->645 678 402752-40275f 677->678 679 40274c-402750 677->679 678->645 679->676 679->678 680->650 681 40272d 680->681 681->645
                                                    APIs
                                                    • ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                    • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                      • Part of subcall function 00405CD5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405CEB
                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                    • String ID: 9
                                                    • API String ID: 163830602-2366072709
                                                    • Opcode ID: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                    • Instruction ID: 56da5788d6d90062f79809d4a3c22d6e203981add65e083e01e3e907f30c056e
                                                    • Opcode Fuzzy Hash: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                    • Instruction Fuzzy Hash: 3F512774D0021AAADF209F94CA88AAEB779FF04344F50447BE501F72E0D7B99D429B69
                                                    Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 682 403027-40303e 683 403040 682->683 684 403047-40304f 682->684 683->684 685 403051 684->685 686 403056-40305b 684->686 685->686 687 40306b-403078 call 40320c 686->687 688 40305d-403066 call 403222 686->688 692 4031c3 687->692 693 40307e-403082 687->693 688->687 696 4031c5-4031c6 692->696 694 403088-4030a8 GetTickCount call 406514 693->694 695 4031ac-4031ae 693->695 706 403202 694->706 708 4030ae-4030b6 694->708 697 4031b0-4031b3 695->697 698 4031f7-4031fb 695->698 700 403205-403209 696->700 701 4031b5 697->701 702 4031b8-4031c1 call 40320c 697->702 703 4031c8-4031ce 698->703 704 4031fd 698->704 701->702 702->692 715 4031ff 702->715 709 4031d0 703->709 710 4031d3-4031e1 call 40320c 703->710 704->706 706->700 712 4030b8 708->712 713 4030bb-4030c9 call 40320c 708->713 709->710 710->692 719 4031e3-4031ef call 405ca6 710->719 712->713 713->692 721 4030cf-4030d8 713->721 715->706 724 4031f1-4031f4 719->724 725 4031a8-4031aa 719->725 723 4030de-4030fb call 406534 721->723 728 403101-403118 GetTickCount 723->728 729 4031a4-4031a6 723->729 724->698 725->696 730 403163-403165 728->730 731 40311a-403122 728->731 729->696 734 403167-40316b 730->734 735 403198-40319c 730->735 732 403124-403128 731->732 733 40312a-40315b MulDiv wsprintfW call 40517e 731->733 732->730 732->733 740 403160 733->740 737 403180-403186 734->737 738 40316d-403172 call 405ca6 734->738 735->708 739 4031a2 735->739 742 40318c-403190 737->742 743 403177-403179 738->743 739->706 740->730 742->723 744 403196 742->744 743->725 745 40317b-40317e 743->745 744->706 745->742
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CountTick$wsprintf
                                                    • String ID: ... %d%%
                                                    • API String ID: 551687249-2449383134
                                                    • Opcode ID: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                    • Instruction ID: dc339ecebd5a12fc0f5e273b782e0acc65c92b35cb5ec2ffb99f959b3dc2fe49
                                                    • Opcode Fuzzy Hash: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                    • Instruction Fuzzy Hash: CC517A71900219ABDB10DF65D904B9F3FA8AF04766F14427BF911BB2C5C7789E408BE9
                                                    Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 746 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 753 4023c7-4023cf 746->753 754 402a4c-402a5b 746->754 755 4023d1-4023de call 402bbf lstrlenW 753->755 756 4023e2-4023e5 753->756 755->756 760 4023f5-4023f8 756->760 761 4023e7-4023f4 call 402ba2 756->761 764 402409-40241d RegSetValueExW 760->764 765 4023fa-402404 call 403027 760->765 761->760 768 402422-4024fc RegCloseKey 764->768 769 40241f 764->769 765->764 768->754 771 40281e-402825 768->771 769->768 771->754
                                                    APIs
                                                    • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                    • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateValuelstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp
                                                    • API String ID: 1356686001-1596425934
                                                    • Opcode ID: faa0c319964157a57b2cf8d64ada1b3f5c69c223d93d5798c03e55b357c281b0
                                                    • Instruction ID: 7111b63e716528206d7143fef0c5d48aa4ff5df43585b472b347a68cc626e816
                                                    • Opcode Fuzzy Hash: faa0c319964157a57b2cf8d64ada1b3f5c69c223d93d5798c03e55b357c281b0
                                                    • Instruction Fuzzy Hash: 5B11AE71E00108BFEB10EFA4DD89DAE76BCEB04358F10403AF904B21D1D6B85E419628
                                                    Function 0040564D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 772 40564d-405698 CreateDirectoryW 773 40569a-40569c 772->773 774 40569e-4056ab GetLastError 772->774 775 4056c5-4056c7 773->775 774->775 776 4056ad-4056c1 SetFileSecurityW 774->776 776->773 777 4056c3 GetLastError 776->777 777->775
                                                    APIs
                                                    • CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                    • GetLastError.KERNEL32 ref: 004056A4
                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B9
                                                    • GetLastError.KERNEL32 ref: 004056C3
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405673
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 3449924974-3936084776
                                                    • Opcode ID: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                    • Instruction ID: d2f3f002a39499475f228c0a6bab6309b881bedc09a5d6a8f103fb05119b383a
                                                    • Opcode Fuzzy Hash: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                    • Instruction Fuzzy Hash: DE010871D14219EAEF119FA0CD047EFBFB8EB14314F10853AD909B6190E779A604CFAA
                                                    Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 778 402bff-402c28 RegOpenKeyExW 779 402c93-402c97 778->779 780 402c2a-402c35 778->780 781 402c50-402c60 RegEnumKeyW 780->781 782 402c62-402c74 RegCloseKey call 4063f5 781->782 783 402c37-402c3a 781->783 791 402c76-402c85 782->791 792 402c9a-402ca0 782->792 784 402c87-402c8a RegCloseKey 783->784 785 402c3c-402c4e call 402bff 783->785 789 402c90-402c92 784->789 785->781 785->782 789->779 791->779 792->789 793 402ca2-402cb0 RegDeleteKeyW 792->793 793->789 794 402cb2 793->794 794->779
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Close$DeleteEnumOpen
                                                    • String ID:
                                                    • API String ID: 1912718029-0
                                                    • Opcode ID: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                                    • Instruction ID: 783455ef39ba97bad4d92773a6bd33e03ba47aaf13af7a3f43d32fd345691cd1
                                                    • Opcode Fuzzy Hash: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                                    • Instruction Fuzzy Hash: 52115971908118FEEF119F90DE8CEAE3B79FB14384F100476FA05A10A0D3B49E52AA69
                                                    Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 796 10001759-10001795 call 10001b18 800 100018a6-100018a8 796->800 801 1000179b-1000179f 796->801 802 100017a1-100017a7 call 10002286 801->802 803 100017a8-100017b5 call 100022d0 801->803 802->803 808 100017e5-100017ec 803->808 809 100017b7-100017bc 803->809 810 1000180c-10001810 808->810 811 100017ee-1000180a call 100024a9 call 100015b4 call 10001272 GlobalFree 808->811 812 100017d7-100017da 809->812 813 100017be-100017bf 809->813 818 10001812-1000184c call 100015b4 call 100024a9 810->818 819 1000184e-10001854 call 100024a9 810->819 835 10001855-10001859 811->835 812->808 814 100017dc-100017dd call 10002b5f 812->814 816 100017c1-100017c2 813->816 817 100017c7-100017c8 call 100028a4 813->817 828 100017e2 814->828 823 100017c4-100017c5 816->823 824 100017cf-100017d5 call 10002645 816->824 831 100017cd 817->831 818->835 819->835 823->808 823->817 834 100017e4 824->834 828->834 831->828 834->808 839 10001896-1000189d 835->839 840 1000185b-10001869 call 1000246c 835->840 839->800 842 1000189f-100018a0 GlobalFree 839->842 846 10001881-10001888 840->846 847 1000186b-1000186e 840->847 842->800 846->839 849 1000188a-10001895 call 1000153d 846->849 847->846 848 10001870-10001878 847->848 848->846 850 1000187a-1000187b FreeLibrary 848->850 849->839 850->846
                                                    APIs
                                                      • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                      • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                      • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                    • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                    • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                      • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                      • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                      • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$Alloc$Librarylstrcpy
                                                    • String ID:
                                                    • API String ID: 1791698881-3916222277
                                                    • Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                    • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                    • Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                    • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                    Function 00405ADB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                      • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405830,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\t6V3uvyaAP.exe"), ref: 00405A8C
                                                      • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                      • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                    • lstrlenW.KERNEL32(00424F10,00000000,00424F10,00424F10, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405830,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\t6V3uvyaAP.exe"), ref: 00405B34
                                                    • GetFileAttributesW.KERNELBASE(00424F10,00424F10,00424F10,00424F10,00424F10,00424F10,00000000,00424F10,00424F10, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405830,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405B44
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                    • String ID: 4#v$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 3248276644-3758603893
                                                    • Opcode ID: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                    • Instruction ID: a8deb24d6afa2735206f329f0351f59021ff10951cf48c606255c952c9ad3203
                                                    • Opcode Fuzzy Hash: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                    • Instruction Fuzzy Hash: CBF04921304E5215D622323A1C44AAF3554CFC1364705073BB861721E1CB3C9943DE7E
                                                    Function 00405EEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F16
                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F37
                                                    • RegCloseKey.KERNELBASE(?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F5A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Call
                                                    • API String ID: 3677997916-1824292864
                                                    • Opcode ID: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                                    • Instruction ID: c601889377c76b9115debbe7433e53646a10130b96f6f591fa827391142cde11
                                                    • Opcode Fuzzy Hash: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                                    • Instruction Fuzzy Hash: 26010C3255020AEADB218F65ED09E9B3BACEF44350B004026F919D6260D735D964DFA5
                                                    Function 00405C23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00405C41
                                                    • GetTempFileNameW.KERNELBASE(00409300,?,00000000,?,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C5C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CountFileNameTempTick
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                    • API String ID: 1716503409-1857211195
                                                    • Opcode ID: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                    • Instruction ID: 4fdac09ee551a982241d11f866b864b283b1b610f450d112551ccb25b2c02e5c
                                                    • Opcode Fuzzy Hash: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                    • Instruction Fuzzy Hash: 0EF03676B04208BFEB108F55DD49E9BB7ADEB95750F10403AF901F7150E6B0AE548758
                                                    Function 00406389 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                    • wsprintfW.USER32 ref: 004063DB
                                                    • LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                    • String ID: %s%S.dll
                                                    • API String ID: 2200240437-2744773210
                                                    • Opcode ID: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                    • Instruction ID: 006adf5c24d44cc190f28e383f23d96ea846dcb1794efbef959ff2cbc64c9496
                                                    • Opcode Fuzzy Hash: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                    • Instruction Fuzzy Hash: D6F09030910119EBDB14AB68DD4DEAB366CAB00304F104476A906F21E1E77CEA68CBE9
                                                    Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                      • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                      • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00403160), ref: 004051D9
                                                      • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll), ref: 004051EB
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                      • Part of subcall function 004056FF: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                      • Part of subcall function 004056FF: CloseHandle.KERNEL32(00409300), ref: 00405735
                                                    • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 3585118688-0
                                                    • Opcode ID: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
                                                    • Instruction ID: f6705c9319aae76dbd7499045e6368890872edf6032e54a723c1862b254634bc
                                                    • Opcode Fuzzy Hash: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
                                                    • Instruction Fuzzy Hash: 7611A131900108EBCF21AFA1CD8499E7AB6EB04314F24407BF601B61E1C7798A819B9D
                                                    Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405830,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\t6V3uvyaAP.exe"), ref: 00405A8C
                                                      • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                      • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                      • Part of subcall function 0040564D: CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\outsplendour\urite\Kollegier,?,00000000,000000F0), ref: 00401645
                                                    Strings
                                                    • C:\Users\user\AppData\Local\outsplendour\urite\Kollegier, xrefs: 00401638
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                    • String ID: C:\Users\user\AppData\Local\outsplendour\urite\Kollegier
                                                    • API String ID: 1892508949-57472893
                                                    • Opcode ID: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
                                                    • Instruction ID: 9984d83288963ddb5bfb53596c8c9f6ed7fbdeacdcadece23b283b8c4b9f7bd6
                                                    • Opcode Fuzzy Hash: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
                                                    • Instruction Fuzzy Hash: 70119331504505EBCF206FA48D4199F3AB1EF44368B24097BEA05B61F2D63A4A819E5E
                                                    Function 004056FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                    • CloseHandle.KERNEL32(00409300), ref: 00405735
                                                    Strings
                                                    • Error launching installer, xrefs: 00405712
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID: Error launching installer
                                                    • API String ID: 3712363035-66219284
                                                    • Opcode ID: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                    • Instruction ID: 0e3d6bea0253e84bb75e95f5fd13ebb7f1c25267a9e23a2e11a0c59c818b3a51
                                                    • Opcode Fuzzy Hash: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                    • Instruction Fuzzy Hash: A1E0BFB4A50209BFEB10AB64ED45F7B77ADE704604F408521BD10F6190D774A9118A79
                                                    Function 00406B18 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                    • Instruction ID: 5fe4abb7369df3af91b149f2edb7ea720d50bcc67b973f9abb1089395dd24c70
                                                    • Opcode Fuzzy Hash: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                    • Instruction Fuzzy Hash: C0A14471E00229CBDF28CFA8C8546ADBBB1FF44305F11856AD956BB281C7785A96CF44
                                                    Function 00406D19 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                    • Instruction ID: 7dc68a506d8d0f3fe9b520a6289ddaa7cfd75a66a39107a8603bac83b987cce9
                                                    • Opcode Fuzzy Hash: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                    • Instruction Fuzzy Hash: 58912370D00229CBDF28CFA8C854BADBBB1FF44305F15816AD956BB291C7789A96CF44
                                                    Function 00406A2F Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                    • Instruction ID: aa61b8b4d6b896fc10b82c5715850ba22d426d73d4dcb40af3c311b95fbd5bbf
                                                    • Opcode Fuzzy Hash: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                    • Instruction Fuzzy Hash: 1B815671E00229CFDF24CFA8C844BADBBB1FB44305F25816AD456BB291C7789A96CF54
                                                    Function 00406534 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                    • Instruction ID: 6afa8d85982321809285efd67767f231e28451523f56623c0a237c64ba690010
                                                    • Opcode Fuzzy Hash: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                    • Instruction Fuzzy Hash: 7E816731E00229DBDF24CFA9D844BADBBB0FB44305F11816AE856BB2C0C7785A96DF44
                                                    Function 00406982 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                    • Instruction ID: b0afa4bf9b2f32aef8b418d90c6ac84aec3754d6d6600e102a8a9184c58ea877
                                                    • Opcode Fuzzy Hash: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                    • Instruction Fuzzy Hash: FD712471E00229DFDF24CFA8C844BADBBB1FB48305F15806AD846BB290C7395996DF54
                                                    Function 00406AA0 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                    • Instruction ID: 02d0d75cb83947f83aad45c50880e4a386b83e744e149296eb7fa161ab999f08
                                                    • Opcode Fuzzy Hash: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                    • Instruction Fuzzy Hash: 08714671E00219CFDF24CFA8C844BADBBB1FB44305F15806AD856BB290C7385956DF44
                                                    Function 004069EC Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                    • Instruction ID: eb15c3353e008649bdc799d0a197d89dfb60748dd6a42a5e4cae05a50034cddc
                                                    • Opcode Fuzzy Hash: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                    • Instruction Fuzzy Hash: 67714571E00229DBDF28CF98C844BADBBB1FF44305F11806AD956BB291C7789A66DF44
                                                    Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                      • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                      • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                      • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00403160), ref: 004051D9
                                                      • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll), ref: 004051EB
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                      • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                    • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 334405425-0
                                                    • Opcode ID: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
                                                    • Instruction ID: 21b843afec6b7294a3944f79e0bc8b5a0bfae5b7739fd4420ef7f1bee797e933
                                                    • Opcode Fuzzy Hash: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
                                                    • Instruction Fuzzy Hash: D0219531904219FBCF20AFA5CE48A9E7EB1AF00354F60427BF500B51E1C7B98E81DA5E
                                                    Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00406362: FindFirstFileW.KERNELBASE(?,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405830,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                      • Part of subcall function 00406362: FindClose.KERNEL32(00000000), ref: 00406379
                                                    • lstrlenW.KERNEL32 ref: 0040222A
                                                    • lstrlenW.KERNEL32(00000000), ref: 00402235
                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FileFindlstrlen$CloseFirstOperation
                                                    • String ID:
                                                    • API String ID: 1486964399-0
                                                    • Opcode ID: 450579e11224428eb85b903523daf66f1f9c0cb95d71209448310f09a175b178
                                                    • Instruction ID: a51eb5c21c24ccf5f085ee56c44e06b553b0ed758517026afe0ec9d6213df78e
                                                    • Opcode Fuzzy Hash: 450579e11224428eb85b903523daf66f1f9c0cb95d71209448310f09a175b178
                                                    • Instruction Fuzzy Hash: AF117071D00218AACB10EFF98D49A9EB7FCAF14314F10817BB805FB2D5D6B8C9018B59
                                                    Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                    • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Enum$CloseOpenValue
                                                    • String ID:
                                                    • API String ID: 167947723-0
                                                    • Opcode ID: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
                                                    • Instruction ID: 9b49ef4685d11130b37b7b0c6276d492a5168a4a944959f4997216c5b5c768b0
                                                    • Opcode Fuzzy Hash: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
                                                    • Instruction Fuzzy Hash: 1FF06D72A04204BBE7209F659E88ABF766DEF80354B10843AF505B61D0D6B85D419B6A
                                                    Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_open
                                                    • String ID:
                                                    • API String ID: 1632358481-0
                                                    • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                    • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                    • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                    • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                    Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: 46bcc4b3199a8b76a7f894541cf2928c5a0d53ab3603f3d9be04bc57294c3f71
                                                    • Instruction ID: 318f25c97078b56e75ac6278506f01b5a34a300aa28fb7ae5d2085b0d3939190
                                                    • Opcode Fuzzy Hash: 46bcc4b3199a8b76a7f894541cf2928c5a0d53ab3603f3d9be04bc57294c3f71
                                                    • Instruction Fuzzy Hash: F7117331915205EFDB14CFA4DA489BEB7B4EF44354F20843FE405B72D0D6B85A41DB5A
                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                    • Instruction ID: 1e7952006d9e226a8eb598a62733b1cad305e59e596fc6f41a9a7203fe322f79
                                                    • Opcode Fuzzy Hash: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                    • Instruction Fuzzy Hash: 9401D131B24210EBE7295B389C05B6A3698E720318F10867EB915F62F1DA78DC028B5D
                                                    Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CloseDeleteOpenValue
                                                    • String ID:
                                                    • API String ID: 849931509-0
                                                    • Opcode ID: cfb8fc06a93b176d0500bd6125704b8e8f0a89c3110928963136810bc9385231
                                                    • Instruction ID: 78bc400ea2c38a342dc409f04ff34772de2348df94907e049583a87c4894aa7b
                                                    • Opcode Fuzzy Hash: cfb8fc06a93b176d0500bd6125704b8e8f0a89c3110928963136810bc9385231
                                                    • Instruction Fuzzy Hash: F2F0AF33A04100ABEB10BFB48A4EABE72699B40314F14843BF501B71D1C9FC9D025629
                                                    Function 004063F5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                      • Part of subcall function 00406389: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                      • Part of subcall function 00406389: wsprintfW.USER32 ref: 004063DB
                                                      • Part of subcall function 00406389: LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                    • String ID:
                                                    • API String ID: 2547128583-0
                                                    • Opcode ID: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                    • Instruction ID: a9e24e321ddd3f073a9e6a165911cd393abac726806fbc755e3780b1e63cb1a6
                                                    • Opcode Fuzzy Hash: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                    • Instruction Fuzzy Hash: A7E086326082216BD31157745D4493B67A89BD5740306083EFD06F6181D734AC2296AD
                                                    Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Window$EnableShow
                                                    • String ID:
                                                    • API String ID: 1136574915-0
                                                    • Opcode ID: 5b4dded21515e85cdd7dd763c9abdbba58e278b110e9914daaceba62c2ae1f2f
                                                    • Instruction ID: c4cc9d8bc17b60f52f9d6b5ec52db5efc6ce13511ecacb80f957bec5d45ae41a
                                                    • Opcode Fuzzy Hash: 5b4dded21515e85cdd7dd763c9abdbba58e278b110e9914daaceba62c2ae1f2f
                                                    • Instruction Fuzzy Hash: 69E08C32A04100ABC720AFB5AE8999E3375EF50369B10047BE402F10E1C6BCAC408A6E
                                                    Function 00405BF4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\t6V3uvyaAP.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreate
                                                    • String ID:
                                                    • API String ID: 415043291-0
                                                    • Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                    • Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
                                                    • Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                    • Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16
                                                    Function 004056CA Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004056D0
                                                    • GetLastError.KERNEL32 ref: 004056DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryErrorLast
                                                    • String ID:
                                                    • API String ID: 1375471231-0
                                                    • Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                    • Instruction ID: d706e5ae47c7ee36432b9320fd90c1f42ce8b6abbc3a43a90ad219fc8104f268
                                                    • Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                    • Instruction Fuzzy Hash: 5DC04C30A19602DBDA105B31DD0871B7954AB50742F60CD36610AE51A0DA769811DD3E
                                                    Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                      • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FilePointerwsprintf
                                                    • String ID:
                                                    • API String ID: 327478801-0
                                                    • Opcode ID: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
                                                    • Instruction ID: 1ea0f4fe546ff0a6cc1a224cb0175f0568d280dd86a823eff906e537ce259dc5
                                                    • Opcode Fuzzy Hash: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
                                                    • Instruction Fuzzy Hash: DBE01A72A05514ABDB11AFA59E4ACAF766AEB40328B14443BF105F00E1C67D8D019A2E
                                                    Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfileStringWrite
                                                    • String ID:
                                                    • API String ID: 390214022-0
                                                    • Opcode ID: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                                    • Instruction ID: 900e0ed31166daec82b0b067df29ce1ac5916d1a5491b2584b310d9ae4f56f06
                                                    • Opcode Fuzzy Hash: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                                    • Instruction Fuzzy Hash: 5BE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB511B66C6D5FC1D4146A9
                                                    Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: PathSearch
                                                    • String ID:
                                                    • API String ID: 2203818243-0
                                                    • Opcode ID: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
                                                    • Instruction ID: 0851ebd2278d1e7daa5b6d30d0a19f3cab84c03b6f2ce2edda3e72f353adab80
                                                    • Opcode Fuzzy Hash: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
                                                    • Instruction Fuzzy Hash: DAE04F72304100ABD710CFA4DE49AAA77ACDB403A8F20457BE615A61D1E6B49A41972D
                                                    Function 00405C77 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040321F,00000000,00000000,00403076,000000FF,00000004,00000000,00000000,00000000), ref: 00405C8B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                    • Instruction ID: b406f17295b0c4e2c80a39b4892fee2aa768816fba0af151b3e099c9f54450aa
                                                    • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                    • Instruction Fuzzy Hash: 3BE08632114259ABDF119E508C04EEB3B5CEB04350F004436F911E3180D230E9209BA4
                                                    Function 00405CA6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004031ED,00000000,0040BEC0,?,0040BEC0,?,000000FF,00000004,00000000), ref: 00405CBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                    • Instruction ID: 8766ac6266e8b07294e6d952513c2b0c694ccf73d68c0bd44325f5ff4784c02c
                                                    • Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                    • Instruction Fuzzy Hash: D4E08C3222835AABEF119E548C00EEB3B6CEB01360F004833F915E3190E231E9209BA8
                                                    Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                    • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                    • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                    • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                    Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfileString
                                                    • String ID:
                                                    • API String ID: 1096422788-0
                                                    • Opcode ID: 66f8b3e970e184d3ebc304a94ec291b034400799dc8d029390466380a40aecae
                                                    • Instruction ID: 98211d2feed0509b4c5daa86fa820328d7278c452558b0b50cc2825d3d111cbc
                                                    • Opcode Fuzzy Hash: 66f8b3e970e184d3ebc304a94ec291b034400799dc8d029390466380a40aecae
                                                    • Instruction Fuzzy Hash: 64E04F30800204BBDF01AFA4CD49DBD3B79AB00344F14043AF900AB1D5E7F89A809749
                                                    Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: a6288d54b80525e4349bfae1f7e543b331b6d0696a7466d7176cefea4ee373d8
                                                    • Instruction ID: 1b5af1e6617a4a9cd807fc22027cae36a39ca3b3e6b8606dbe65da2ef404c620
                                                    • Opcode Fuzzy Hash: a6288d54b80525e4349bfae1f7e543b331b6d0696a7466d7176cefea4ee373d8
                                                    • Instruction Fuzzy Hash: 41D01233B04100DBCB10DFA89A0869D77659B40334B208677D501F21E5D6B9C5515A19
                                                    Function 0040412F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                    • Instruction ID: 1f6dcfa326d5252f97bf96967583e82957cdc04532489552bbed9deb9ca34131
                                                    • Opcode Fuzzy Hash: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                    • Instruction Fuzzy Hash: 26C09B757443017BDA318F509D49F27775867A4700F2544397350F70D0C774E451D61D
                                                    Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                    • Instruction ID: 29b39a71cad52391c8dc255d064a3e1ff9ef0cb324877085b5716ecfb2dd3a49
                                                    • Opcode Fuzzy Hash: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                    • Instruction Fuzzy Hash: 80B09236A84200BADA214B00ED09F857A62A76C701F008864B300240B0CAB284A2DB19
                                                    Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403504,?), ref: 00403230
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                    • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                    • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                    • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                    Function 00404105 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(?,00403EDD), ref: 0040410F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID:
                                                    • API String ID: 2492992576-0
                                                    • Opcode ID: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                                    • Instruction ID: 08b0993790eca83da4683932159a1945e4cd9185bce414af844fcd550f832719
                                                    • Opcode Fuzzy Hash: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                                    • Instruction Fuzzy Hash: 9AA01132808000ABCA028B80EF08C0ABB22FBE0300B008838F2008003083320820EB0A
                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
                                                    • Instruction ID: 97e26b744c28169e8b025be137c519adc4d29a227e598783c976d4988d520b86
                                                    • Opcode Fuzzy Hash: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
                                                    • Instruction Fuzzy Hash: 47D0C977B14100ABD720EFB9AE898AB73ACEB513293204833D902E10A2D579D802866D
                                                    Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: AllocGlobal
                                                    • String ID:
                                                    • API String ID: 3761449716-0
                                                    • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                    • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                    • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                    • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                                    Non-executed Functions

                                                    Function 00404AFA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404B12
                                                    • GetDlgItem.USER32(?,00000408), ref: 00404B1D
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B67
                                                    • LoadBitmapW.USER32(0000006E), ref: 00404B7A
                                                    • SetWindowLongW.USER32(?,000000FC,004050F2), ref: 00404B93
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA7
                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB9
                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404BCF
                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BDB
                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BED
                                                    • DeleteObject.GDI32(00000000), ref: 00404BF0
                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C1B
                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C27
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CBD
                                                    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE8
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CFC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404D2B
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D39
                                                    • ShowWindow.USER32(?,00000005), ref: 00404D4A
                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E47
                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EAC
                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EC1
                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE5
                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F05
                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404F1A
                                                    • GlobalFree.KERNEL32(?), ref: 00404F2A
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FA3
                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 0040504C
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040505B
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040507B
                                                    • ShowWindow.USER32(?,00000000), ref: 004050C9
                                                    • GetDlgItem.USER32(?,000003FE), ref: 004050D4
                                                    • ShowWindow.USER32(00000000), ref: 004050DB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                    • String ID: $M$N
                                                    • API String ID: 1638840714-813528018
                                                    • Opcode ID: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                    • Instruction ID: d9c0fbcad293e7aaadacffa1f228c55c0cff6ebba89157b443eef3cf19c2f35f
                                                    • Opcode Fuzzy Hash: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                    • Instruction Fuzzy Hash: AF026FB0A00209EFDB209F54DD85AAE7BB5FB84314F10857AF610BA2E1D7799D42CF58
                                                    Function 0040457E Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003FB), ref: 004045CD
                                                    • SetWindowTextW.USER32(00000000,?), ref: 004045F7
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 004046A8
                                                    • CoTaskMemFree.OLE32(00000000), ref: 004046B3
                                                    • lstrcmpiW.KERNEL32(Call,00422708,00000000,?,?), ref: 004046E5
                                                    • lstrcatW.KERNEL32(?,Call), ref: 004046F1
                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404703
                                                      • Part of subcall function 00405748: GetDlgItemTextW.USER32(?,?,00000400,0040473A), ref: 0040575B
                                                      • Part of subcall function 004062B3: CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\t6V3uvyaAP.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                      • Part of subcall function 004062B3: CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                      • Part of subcall function 004062B3: CharNextW.USER32(00409300,"C:\Users\user\Desktop\t6V3uvyaAP.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                      • Part of subcall function 004062B3: CharPrevW.USER32(00409300,00409300,76233420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                                    • GetDiskFreeSpaceW.KERNEL32(004206D8,?,?,0000040F,?,004206D8,004206D8,?,00000001,004206D8,?,?,000003FB,?), ref: 004047C6
                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047E1
                                                      • Part of subcall function 0040493A: lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                      • Part of subcall function 0040493A: wsprintfW.USER32 ref: 004049E4
                                                      • Part of subcall function 0040493A: SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: A$C:\Users\user\AppData\Local\outsplendour\urite$Call
                                                    • API String ID: 2624150263-276824409
                                                    • Opcode ID: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                    • Instruction ID: 5fc8bddc00f1cc174a6dc329f65f284a7a254117467b0892f0b405221262b822
                                                    • Opcode Fuzzy Hash: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                    • Instruction Fuzzy Hash: D9A150B1D00209ABDB11AFA5CC85AAF77B8EF84315F11843BF611B72D1D77C8A418B69
                                                    Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                    • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                                    • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                    • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                    • GlobalFree.KERNEL32(?), ref: 10001D83
                                                    • GlobalFree.KERNEL32(?), ref: 10001D88
                                                    • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                    • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$lstrcpy$Alloc
                                                    • String ID:
                                                    • API String ID: 4227406936-0
                                                    • Opcode ID: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                    • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                    • Opcode Fuzzy Hash: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                    • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                    Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(0040749C,?,00000001,0040748C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                    Strings
                                                    • C:\Users\user\AppData\Local\outsplendour\urite\Kollegier, xrefs: 00402154
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CreateInstance
                                                    • String ID: C:\Users\user\AppData\Local\outsplendour\urite\Kollegier
                                                    • API String ID: 542301482-57472893
                                                    • Opcode ID: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
                                                    • Instruction ID: 6cbe38940624da38e40774ab578681f1f604b85ca8fb8198b005fe2b44c0e728
                                                    • Opcode Fuzzy Hash: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
                                                    • Instruction Fuzzy Hash: A7411D75A00208AFCF00DFA4CD889AD7BB5FF48314B20457AF515EB2D1D7799A41CB55
                                                    Function 00404280 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040431E
                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404332
                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040434F
                                                    • GetSysColor.USER32(?), ref: 00404360
                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040436E
                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040437C
                                                    • lstrlenW.KERNEL32(?), ref: 00404381
                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040438E
                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043A3
                                                    • GetDlgItem.USER32(?,0000040A), ref: 004043FC
                                                    • SendMessageW.USER32(00000000), ref: 00404403
                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040442E
                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404471
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 0040447F
                                                    • SetCursor.USER32(00000000), ref: 00404482
                                                    • ShellExecuteW.SHELL32(0000070B,open,004271C0,00000000,00000000,00000001), ref: 00404497
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004044A3
                                                    • SetCursor.USER32(00000000), ref: 004044A6
                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044D5
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                    • String ID: Call$N$open
                                                    • API String ID: 3615053054-2563687911
                                                    • Opcode ID: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                    • Instruction ID: 4b5324550c8b175de7ac8ee9e9744dd98fad869a56f6e91fb07d2f074fcd5292
                                                    • Opcode Fuzzy Hash: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                    • Instruction Fuzzy Hash: F87172B1A00209BFDB109F60DD85E6A7B69FB84354F00853AF705B62E1C778AD51CFA9
                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                    • DrawTextW.USER32(00000000,00428220,000000FF,00000010,00000820), ref: 00401156
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                    • String ID: F
                                                    • API String ID: 941294808-1304234792
                                                    • Opcode ID: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                    • Instruction ID: b0ee482b8836f8c5ddb0523b9b95fc6b4c0959077eeb464a3039c1fdf8a9f2d7
                                                    • Opcode Fuzzy Hash: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                    • Instruction Fuzzy Hash: F6418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF951AA1A0C738EA51DFA5
                                                    Function 00405D4E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpyW.KERNEL32(00425DA8,NUL), ref: 00405D5D
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00409300,00405EE1,?,?), ref: 00405D81
                                                    • GetShortPathNameW.KERNEL32(?,00425DA8,00000400), ref: 00405D8A
                                                      • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                      • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                    • GetShortPathNameW.KERNEL32(004265A8,004265A8,00000400), ref: 00405DA7
                                                    • wsprintfA.USER32 ref: 00405DC5
                                                    • GetFileSize.KERNEL32(00000000,00000000,004265A8,C0000000,00000004,004265A8,?,?,?,?,?), ref: 00405E00
                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0F
                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E47
                                                    • SetFilePointer.KERNEL32(00409578,00000000,00000000,00000000,00000000,004259A8,00000000,-0000000A,00409578,00000000,[Rename],00000000,00000000,00000000), ref: 00405E9D
                                                    • GlobalFree.KERNEL32(00000000), ref: 00405EAE
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB5
                                                      • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\t6V3uvyaAP.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                      • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                    • String ID: %ls=%ls$NUL$[Rename]
                                                    • API String ID: 222337774-899692902
                                                    • Opcode ID: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                    • Instruction ID: 907d7383bdf99192a2874dfd68d01e77647b980fe5b363d6f0c9d0989479472f
                                                    • Opcode Fuzzy Hash: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                    • Instruction Fuzzy Hash: 88311F71A05B14BBD6206B229C48F6B3A6CDF45755F14043ABE41F62D2DA3CEE018AFD
                                                    Function 004062B3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\t6V3uvyaAP.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                    • CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                    • CharNextW.USER32(00409300,"C:\Users\user\Desktop\t6V3uvyaAP.exe",76233420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                    • CharPrevW.USER32(00409300,00409300,76233420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                                    Strings
                                                    • *?|<>/":, xrefs: 00406305
                                                    • "C:\Users\user\Desktop\t6V3uvyaAP.exe", xrefs: 004062F7
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004062B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$Prev
                                                    • String ID: "C:\Users\user\Desktop\t6V3uvyaAP.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 589700163-2355193978
                                                    • Opcode ID: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                    • Instruction ID: 54bf27a4ef4c29ba7f7e7f80dc621db20ebbd613429789f6f10e18307ece98db
                                                    • Opcode Fuzzy Hash: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                    • Instruction Fuzzy Hash: B711946A80021295EB313B198C40AB7B6F8EF59750F56417FED86B32C0E77C5C9286ED
                                                    Function 0040414A Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00404167
                                                    • GetSysColor.USER32(00000000), ref: 00404183
                                                    • SetTextColor.GDI32(?,00000000), ref: 0040418F
                                                    • SetBkMode.GDI32(?,?), ref: 0040419B
                                                    • GetSysColor.USER32(?), ref: 004041AE
                                                    • SetBkColor.GDI32(?,?), ref: 004041BE
                                                    • DeleteObject.GDI32(?), ref: 004041D8
                                                    • CreateBrushIndirect.GDI32(?), ref: 004041E2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                    • String ID:
                                                    • API String ID: 2320649405-0
                                                    • Opcode ID: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                    • Instruction ID: 457b5273a6ad35ed29f896ddd043663fa6b3a1b95e22c78e57b6691615e2b460
                                                    • Opcode Fuzzy Hash: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                    • Instruction Fuzzy Hash: 1921A1B1804704ABCB219F68DD4CB4BBBF8AF40710F048A29ED92E62E0D734E944CB65
                                                    Function 00404A48 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A63
                                                    • GetMessagePos.USER32 ref: 00404A6B
                                                    • ScreenToClient.USER32(?,?), ref: 00404A85
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A97
                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ABD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$ClientScreen
                                                    • String ID: f
                                                    • API String ID: 41195575-1993550816
                                                    • Opcode ID: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                    • Instruction ID: 42cc3fd90da340ed33e1658783c39be2c5e0210da91f3d0a8fd677c6224e58ad
                                                    • Opcode Fuzzy Hash: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                    • Instruction Fuzzy Hash: 19015E71E40218BADB00DB94DD85FFEBBBCAF54711F10016BBB11B61D0D7B8AA058BA5
                                                    Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                    • MulDiv.KERNEL32(0004BB2E,00000064,0004BD32), ref: 00402D4D
                                                    • wsprintfW.USER32 ref: 00402D5D
                                                    • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                    Strings
                                                    • verifying installer: %d%%, xrefs: 00402D57
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                    • String ID: verifying installer: %d%%
                                                    • API String ID: 1451636040-82062127
                                                    • Opcode ID: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                    • Instruction ID: 02b4a25e1ca2abb3aa07e0940f0a1006ed88c36cf357b8fab3844828eab6b7e4
                                                    • Opcode Fuzzy Hash: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                    • Instruction Fuzzy Hash: 3E01F471640209ABEF249F61DD49FEA3B69EB04305F008035FA05A92D1DBB999548F59
                                                    Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(?), ref: 00401D59
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                    • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                    • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                    • CreateFontIndirectW.GDI32(0040BDD0), ref: 00401DD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                    • String ID: Calibri
                                                    • API String ID: 3808545654-1409258342
                                                    • Opcode ID: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                    • Instruction ID: f0de02ddeea559f0acc09b7c654b6cc4e6647674a776793065cdf7257ef1e696
                                                    • Opcode Fuzzy Hash: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                    • Instruction Fuzzy Hash: FF01A231948244BFE701ABB0AE5EBDA7F74EB65305F004479F551B62E2C77810008B6E
                                                    Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalFree.KERNEL32(00000000), ref: 10002416
                                                      • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                    • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                    • String ID:
                                                    • API String ID: 4216380887-0
                                                    • Opcode ID: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                    • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                    • Opcode Fuzzy Hash: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                    • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                    Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                    • GlobalFree.KERNEL32(?), ref: 10002572
                                                    • GlobalFree.KERNEL32(00000000), ref: 100025AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$Alloc
                                                    • String ID:
                                                    • API String ID: 1780285237-0
                                                    • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                    • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                    • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                    • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                    Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                    • GlobalFree.KERNEL32(?), ref: 004028E9
                                                    • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                    • CloseHandle.KERNEL32(?), ref: 00402914
                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                    • String ID:
                                                    • API String ID: 2667972263-0
                                                    • Opcode ID: c99e75e815088827c1258b7acf54df8f73be09f40f6a95f4dee1418f96471bdf
                                                    • Instruction ID: ec7c0e824f3835a9a78c8c015c1ffbc75d15747d838d6b82ce361eed526a9b83
                                                    • Opcode Fuzzy Hash: c99e75e815088827c1258b7acf54df8f73be09f40f6a95f4dee1418f96471bdf
                                                    • Instruction Fuzzy Hash: 1B219E72C00118BBCF216FA5CD49D9E7E79EF09324F24027AF520762E1C7796D419BA9
                                                    Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWidelstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\nstD8B2.tmp$C:\Users\user\AppData\Local\Temp\nstD8B2.tmp\System.dll
                                                    • API String ID: 3109718747-3991153415
                                                    • Opcode ID: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
                                                    • Instruction ID: bfa6d714be92c4527cef4f8895cb5ef110114927b7979418da5827123998f54c
                                                    • Opcode Fuzzy Hash: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
                                                    • Instruction Fuzzy Hash: AE110A72A41204BEDB10AFB58F4AE9E3669AF54394F20403BF402F61C2D6FC8E41466D
                                                    Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: FreeGlobal
                                                    • String ID:
                                                    • API String ID: 2979337801-0
                                                    • Opcode ID: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                    • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                    • Opcode Fuzzy Hash: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                    • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                    Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                    • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                    • String ID:
                                                    • API String ID: 1148316912-0
                                                    • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                    • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                    • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                    • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                    Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,?), ref: 00401D00
                                                    • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                    • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                    • String ID:
                                                    • API String ID: 1849352358-0
                                                    • Opcode ID: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
                                                    • Instruction ID: fda10597d29eaa6b078217e10feb255e8dba845150ef54d65940bec6a2f4d034
                                                    • Opcode Fuzzy Hash: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
                                                    • Instruction Fuzzy Hash: 3AF0C972A04104AFDB11DBA4EE88CEEBBBDEB48311B104566F602F61A1C675ED418B39
                                                    Function 0040493A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                    • wsprintfW.USER32 ref: 004049E4
                                                    • SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: ItemTextlstrlenwsprintf
                                                    • String ID: %u.%u%s%s
                                                    • API String ID: 3540041739-3551169577
                                                    • Opcode ID: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                    • Instruction ID: f455ebafcbecf6c6930287b8ee8bcbe2db44ea01d8d71c40407b913fda14730a
                                                    • Opcode Fuzzy Hash: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                    • Instruction Fuzzy Hash: D611D87364412867DB10A6BD9C45EAF3288DB85374F250237FA26F61D2DA798C6182D8
                                                    Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout
                                                    • String ID: !
                                                    • API String ID: 1777923405-2657877971
                                                    • Opcode ID: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                    • Instruction ID: a67f43666b390050b7c93cc16dc22df3288c4645dfbd1c9967af83c22614668d
                                                    • Opcode Fuzzy Hash: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                    • Instruction Fuzzy Hash: 7C21B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A409B69
                                                    Function 004059D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059D9
                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059E3
                                                    • lstrcatW.KERNEL32(?,00409014), ref: 004059F5
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrcatlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 2659869361-3936084776
                                                    • Opcode ID: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                    • Instruction ID: e27ca5b6c843e4ca6b7b7419ee0e736cc2f4fee1b15a20ddc9c218eb8b1253ea
                                                    • Opcode Fuzzy Hash: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                    • Instruction Fuzzy Hash: 1DD0A761101930AAC212E7488C00DDF729CAE55345341003BF107B30B1C7781D5287FE
                                                    Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403504,?), ref: 00402D9D
                                                    • GetTickCount.KERNEL32 ref: 00402DBB
                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                    • ShowWindow.USER32(00000000,00000005,?,?,00000000,00403504,?), ref: 00402DE6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                    • String ID:
                                                    • API String ID: 2102729457-0
                                                    • Opcode ID: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                    • Instruction ID: e23ac89653febb243e72dcf23735aaa2031a226b5032255065ec6e4c9dbb6a99
                                                    • Opcode Fuzzy Hash: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                    • Instruction Fuzzy Hash: B3F0F431909220EBC6516B54FD4C9DB7F75FB4571270149B7F001B11E4D7B95C818BAD
                                                    Function 004050F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00405121
                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405172
                                                      • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Window$CallMessageProcSendVisible
                                                    • String ID:
                                                    • API String ID: 3748168415-3916222277
                                                    • Opcode ID: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                    • Instruction ID: 7511a9737e1ae187a562f2e55163cfa394ea92b9daba136d2a61478abf79871a
                                                    • Opcode Fuzzy Hash: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                    • Instruction Fuzzy Hash: 41015E71A40709BBDF219F11DD84B6B3626E794754F144136FA017E1D1C3BA8C919E2D
                                                    Function 004037D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,004037AB,004035C0,?), ref: 004037ED
                                                    • GlobalFree.KERNEL32(?), ref: 004037F4
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Free$GlobalLibrary
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 1100898210-3936084776
                                                    • Opcode ID: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                    • Instruction ID: 66f8bddb8dfdb1964ca55d912e2b06e4102c5475863404a2afc710826c1672a2
                                                    • Opcode Fuzzy Hash: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                    • Instruction Fuzzy Hash: CAE0C2B39051206BC7311F04EC08B1AB7BC7F88B32F05416AE8407B3B087742C528BC9
                                                    Function 00405A1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\t6V3uvyaAP.exe,C:\Users\user\Desktop\t6V3uvyaAP.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A25
                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\t6V3uvyaAP.exe,C:\Users\user\Desktop\t6V3uvyaAP.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A35
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrlen
                                                    • String ID: C:\Users\user\Desktop
                                                    • API String ID: 2709904686-3125694417
                                                    • Opcode ID: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                    • Instruction ID: 5bbf66532c1e6c52d9ac91e78c5b81189c295a76ad9a8eb5813a93f974e07d29
                                                    • Opcode Fuzzy Hash: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                    • Instruction Fuzzy Hash: 95D05EB29109209AD322A708DC419AF73ACEF113407464466F401A31A5D3785D818AAA
                                                    Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                    • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                    • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                    • GlobalFree.KERNEL32(?), ref: 10001203
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4570748137.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.4570714741.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570776282.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    • Associated: 00000000.00000002.4570805771.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$Alloc
                                                    • String ID:
                                                    • API String ID: 1780285237-0
                                                    • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                    • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                    • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                    • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                    Function 00405B59 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B81
                                                    • CharNextA.USER32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B92
                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4566312490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4566199341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566410136.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4566534108.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4567040284.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_t6V3uvyaAP.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                    • String ID:
                                                    • API String ID: 190613189-0
                                                    • Opcode ID: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                    • Instruction ID: 1b7cebc677eab2b4d2404c83280ad7709bae0e65096c4b9ca61da70a623928b5
                                                    • Opcode Fuzzy Hash: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                    • Instruction Fuzzy Hash: B9F06231504558AFC7029BA5DD40D9FBBB8EF06250B2540A9E800F7351D674FE019BA9