Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WYnv59N83j.exe

Overview

General Information

Sample name:WYnv59N83j.exe
renamed because original name is a hash value
Original sample name:e96aa6bd5e526e99340594fadc6f64cec5763c1758371006ffa77c02827971a5.exe
Analysis ID:1452979
MD5:5a9432e169d09692069c5e29af0fb359
SHA1:aec91bf20432f37270522dd6fff140f7a15bdbea
SHA256:e96aa6bd5e526e99340594fadc6f64cec5763c1758371006ffa77c02827971a5
Tags:exeGuLoader
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Machine Learning detection for sample
Mass process execution to delay analysis
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WYnv59N83j.exe (PID: 4144 cmdline: "C:\Users\user\Desktop\WYnv59N83j.exe" MD5: 5A9432E169D09692069C5E29AF0FB359)
    • dllhost.exe (PID: 1632 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • cmd.exe (PID: 5700 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6340 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2220 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1976 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5028 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2232 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6204 cmdline: cmd /c set /a "0x75^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5284 cmdline: cmd /c set /a "0x4E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4352 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5988 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2220 cmdline: cmd /c set /a "0x71^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3292 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5284 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2640 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1976 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7056 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5560 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5884 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2472 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1848 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5028 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5640 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5820 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1272 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1972 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3652 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7060 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2800 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1292 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5948 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6340 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2892 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5640 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7056 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4612 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1876 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5280 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3652 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5988 cmdline: cmd /c set /a "0x56^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6204 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5948 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2752 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6192 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2820 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5560 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5884 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1848 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5280 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6056 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2604 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4832 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5884 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1848 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2752 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5820 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2072 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3116 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4140 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5340 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3692 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1272 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5536 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 744 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6096 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5280 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2472 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2072 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1276 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3648 cmdline: cmd /c set /a "0x6D^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7056 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5320 cmdline: cmd /c set /a "0x74^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4764 cmdline: cmd /c set /a "0x68^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 344 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6436 cmdline: cmd /c set /a "0x6A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2508 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2752 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5480 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1292 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6800 cmdline: cmd /c set /a "0x70^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 744 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2220 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3936 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4708 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6104 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5340 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4072 cmdline: cmd /c set /a "0x67^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5384 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2220 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5512 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1292 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6252 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6848 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5536 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2072 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1524 cmdline: cmd /c set /a "0x0B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4676 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6120 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4796 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6848 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2220 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4456 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6152 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1292 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4424 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6096 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3712 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2820 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6576 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5536 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5280 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5512 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6408 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6800 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6036 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7152 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2508 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3936 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3116 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4764 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5456 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2616 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4140 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6640 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1848 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6968 cmdline: cmd /c set /a "0x10^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3364 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6568 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6592 cmdline: cmd /c set /a "0x56^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2272 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3836 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4752 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6092 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7108 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3788 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2020 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2360 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1120 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 760 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2072 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5024 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6800 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1784 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6640 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4296 cmdline: cmd /c set /a "0x4D^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6968 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1628 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6568 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4480 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4084 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5340 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5308 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2884 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6252 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6848 cmdline: cmd /c set /a "0x1F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6204 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5040 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4368 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6340 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3192 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5304 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1200 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2604 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5532 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6360 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2020 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5812 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4304 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5512 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6980 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5360 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5760 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 744 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1632 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1784 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3712 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1276 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2972 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3012 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 344 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WMIADAP.exe (PID: 2072 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
    • cmd.exe (PID: 1968 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6092 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4140 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2796 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6252 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3624 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1628 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1276 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6624 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4616 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4796 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5400 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 356 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3724 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4072 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 744 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1352 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5564 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6360 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4708 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5812 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6408 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2272 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4676 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5312 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4140 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4440 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3276 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4768 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1632 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6768 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2752 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4612 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2428 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3872 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2656 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5544 cmdline: cmd /c set /a "0x65^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6096 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6676 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2292 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3692 cmdline: cmd /c set /a "0x71^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4980 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2360 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2276 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6020 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2972 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3560 cmdline: cmd /c set /a "0x76^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4296 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5332 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5400 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5312 cmdline: cmd /c set /a "0x67^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 528 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5548 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3752 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1372 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3220 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2352 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1048 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3692 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6468 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2820 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2468 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3712 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5696 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2520 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5536 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3936 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3500 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3840 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3872 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4676 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5304 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5800 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5308 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4471682522.0000000006742000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    Process Memory Space: WYnv59N83j.exe PID: 4144JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

      Sigma Signatures

      Sigma detected: Uncommon Svchost Parent Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WYnv59N83j.exe", ParentImage: C:\Users\user\Desktop\WYnv59N83j.exe, ParentProcessId: 4144, ParentProcessName: WYnv59N83j.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 344, ProcessName: svchost.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WYnv59N83j.exe", ParentImage: C:\Users\user\Desktop\WYnv59N83j.exe, ParentProcessId: 4144, ParentProcessName: WYnv59N83j.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 344, ProcessName: svchost.exe

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: WYnv59N83j.exeReversingLabs: Detection: 52%
      Source: WYnv59N83j.exeVirustotal: Detection: 32%Perma Link
      Machine Learning detection for sample
      Source: WYnv59N83j.exeJoe Sandbox ML: detected
      Source: WYnv59N83j.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: WYnv59N83j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\outsplendour\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\outsplendour\urite\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: WYnv59N83j.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052BD
      Source: conhost.exeProcess created: 234
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile created: C:\Windows\resources\0809Jump to behavior
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.h
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\WmiApRpl.ini
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\inf\WmiApRpl\0009\
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\PerfStringBackup.TMP
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_004066E30_2_004066E3
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00404AFA0_2_00404AFA
      Source: WYnv59N83j.exe, 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameimplementeredes smelters.exeDVarFileInfo$ vs WYnv59N83j.exe
      Source: WYnv59N83j.exeBinary or memory string: OriginalFilenameimplementeredes smelters.exeDVarFileInfo$ vs WYnv59N83j.exe
      Source: WYnv59N83j.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal80.troj.evad.winEXE@585/30@0/0
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040457E
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile created: C:\Users\user\AppData\Local\outsplendourJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4688:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1088:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:356:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2748:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3780:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3692:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
      Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_03
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile created: C:\Users\user\AppData\Local\Temp\nse5996.tmpJump to behavior
      Source: WYnv59N83j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: WYnv59N83j.exeReversingLabs: Detection: 52%
      Source: WYnv59N83j.exeVirustotal: Detection: 32%
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile read: C:\Users\user\Desktop\WYnv59N83j.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\WYnv59N83j.exe "C:\Users\user\Desktop\WYnv59N83j.exe"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4D^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x65^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dllJump to behavior
      Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dll
      Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: ntmarta.dll
      Source: C:\Users\user\Desktop\WYnv59N83j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: WYnv59N83j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: Process Memory Space: WYnv59N83j.exe PID: 4144, type: MEMORYSTR
      Source: Yara matchFile source: 00000000.00000002.4471682522.0000000006742000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Obfuscated command line found
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x47^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4D^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x65^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x65^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile created: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\WYnv59N83j.exeFile created: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\nsExec.dllJump to dropped file
      Source: C:\Windows\System32\wbem\WMIADAP.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance
      Source: C:\Windows\System32\wbem\WMIADAP.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Mass process execution to delay analysis
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\WYnv59N83j.exeRDTSC instruction interceptor: First address: 6AA8BB0 second address: 6AA8BB0 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F6BF4E8EEEAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\WYnv59N83j.exeWindow / User API: threadDelayed 362Jump to behavior
      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1852
      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1131
      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1424
      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1486
      Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1205
      Source: C:\Users\user\Desktop\WYnv59N83j.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\WYnv59N83j.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\nsExec.dllJump to dropped file
      Source: C:\Users\user\Desktop\WYnv59N83j.exe TID: 2888Thread sleep time: -36200s >= -30000sJump to behavior
      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 516Thread sleep count: 1852 > 30
      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 516Thread sleep count: 1131 > 30
      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 516Thread sleep count: 1424 > 30
      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 516Thread sleep count: 1486 > 30
      Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 516Thread sleep count: 1205 > 30
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\outsplendour\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\outsplendour\urite\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeAPI call chain: ExitProcess graph end nodegraph_0-4449
      Source: C:\Users\user\Desktop\WYnv59N83j.exeAPI call chain: ExitProcess graph end nodegraph_0-4454
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4B^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x67^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x65^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x76^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Users\user\Desktop\WYnv59N83j.exeCode function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406041

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      Windows Service      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      Windows Service      		1
      Modify Registry      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Native API      		Logon Script (Windows)11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		Security Account Manager1
      Application Window Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		1
      Access Token Manipulation      		NTDS1
      Time Based Evasion      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
      Process Injection      		LSA Secrets4
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Deobfuscate/Decode Files or Information      		Cached Domain Credentials113
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Time Based Evasion      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Obfuscated Files or Information      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      DLL Side-Loading      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      File Deletion      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1452979 Sample: WYnv59N83j.exe Startdate: 06/06/2024 Architecture: WINDOWS Score: 80 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 Machine Learning detection for sample 2->41 7 WYnv59N83j.exe 2 106 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 43 Obfuscated command line found 7->43 45 Mass process execution to delay analysis 7->45 47 Tries to detect virtualization through RDTSC time measurements 7->47 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        17 272 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 266 other processes 17->31

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      WYnv59N83j.exe53%ReversingLabsWin32.Trojan.GuLoader
      WYnv59N83j.exe33%VirustotalBrowse
      WYnv59N83j.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\nsExec.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\nsExec.dll0%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      bg.microsoft.map.fastly.net0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
      http://nsis.sf.net/NSIS_ErrorError0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nsis.sf.net/NSIS_ErrorErrorWYnv59N83j.exefalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1452979
      Start date and time:2024-06-06 13:40:05 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 12m 38s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:549
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:WYnv59N83j.exe
      renamed because original name is a hash value
      Original Sample Name:e96aa6bd5e526e99340594fadc6f64cec5763c1758371006ffa77c02827971a5.exe
      Detection:MAL
      Classification:mal80.troj.evad.winEXE@585/30@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 59
      • Number of non-executed functions: 27
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240000 for current running targets taking high CPU consumption

      Warnings

      • Exclude process from analysis (whitelisted): SIHClient.exe
      • Excluded IPs from analysis (whitelisted): 20.114.59.183, 52.165.164.15, 13.85.23.206
      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtSetInformationFile calls found.
      • Report size getting too big, too many NtWriteVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      07:40:53API Interceptor1x Sleep call for process: dllhost.exe modified
      07:41:46API Interceptor62x Sleep call for process: WYnv59N83j.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      bg.microsoft.map.fastly.netR9eF05c3nd.exeGet hashmaliciousAgentTeslaBrowse
      • 199.232.214.172
      ccC7CDFh0k.exeGet hashmaliciousAgentTeslaBrowse
      • 199.232.214.172
      https://serviceanyirs.com/Bagdad/Get hashmaliciousUnknownBrowse
      • 199.232.210.172
      http://barajind.topGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      11 London Hire Ltd Flex.xlsxGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      http://www.oxid.it/cain.htmlGet hashmaliciousUnknownBrowse
      • 199.232.214.172
      Remittance slip.vbsGet hashmaliciousFormBook, GuLoaderBrowse
      • 199.232.210.172
      https://totaldesignbuild-my.sharepoint.com/:f:/g/personal/trent_moxieconstruction_com_au/EsNTrOblQkFCo1o5UZWfkQcBkVlQsfp5XBXUmyV1cYbDvQ?e=5%3a72JK9C&at=9Get hashmaliciousHTMLPhisherBrowse
      • 199.232.214.172
      https://www.encurtador.dev/redirecionamento/y1YTbGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      KLRA3j95ax.exeGet hashmaliciousVidarBrowse
      • 199.232.214.172

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\nsExec.dllt6V3uvyaAP.exeGet hashmaliciousGuLoaderBrowse
        Unspuriousness.exeGet hashmaliciousFormBook, GuLoaderBrowse
          Unspuriousness.exeGet hashmaliciousGuLoaderBrowse
            Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeGet hashmaliciousGuLoaderBrowse
                SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                  SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousGuLoaderBrowse
                    SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                      SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                        SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousGuLoaderBrowse
                          C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dllt6V3uvyaAP.exeGet hashmaliciousGuLoaderBrowse
                            Z4f1Tbtgas.exeGet hashmaliciousGuLoaderBrowse
                              Z4f1Tbtgas.exeGet hashmaliciousGuLoaderBrowse
                                Unspuriousness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  Unspuriousness.exeGet hashmaliciousGuLoaderBrowse
                                    400 EUR.exeGet hashmaliciousGuLoader, RemcosBrowse
                                      400 EUR.exeGet hashmaliciousGuLoaderBrowse
                                        pagamento240529.bat.exeGet hashmaliciousGuLoaderBrowse
                                          pagamento240529.bat.exeGet hashmaliciousGuLoaderBrowse
                                            ordinazione d acquisto 00299344.bat.exeGet hashmaliciousGuLoaderBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.655335921632966
                                              Encrypted:false
                                              SSDEEP:192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
                                              MD5:EE260C45E97B62A5E42F17460D406068
                                              SHA1:DF35F6300A03C4D3D3BD69752574426296B78695
                                              SHA-256:E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
                                              SHA-512:A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Joe Sandbox View:
                                              • Filename: t6V3uvyaAP.exe, Detection: malicious, Browse
                                              • Filename: Z4f1Tbtgas.exe, Detection: malicious, Browse
                                              • Filename: Z4f1Tbtgas.exe, Detection: malicious, Browse
                                              • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                              • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                              • Filename: 400 EUR.exe, Detection: malicious, Browse
                                              • Filename: 400 EUR.exe, Detection: malicious, Browse
                                              • Filename: pagamento240529.bat.exe, Detection: malicious, Browse
                                              • Filename: pagamento240529.bat.exe, Detection: malicious, Browse
                                              • Filename: ordinazione d acquisto 00299344.bat.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\nsExec.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):6656
                                              Entropy (8bit):5.139253382998066
                                              Encrypted:false
                                              SSDEEP:96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
                                              MD5:1B0E41F60564CCCCCD71347D01A7C397
                                              SHA1:B1BDDD97765E9C249BA239E9C95AB32368098E02
                                              SHA-256:13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
                                              SHA-512:B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              Joe Sandbox View:
                                              • Filename: t6V3uvyaAP.exe, Detection: malicious, Browse
                                              • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                              • Filename: Unspuriousness.exe, Detection: malicious, Browse
                                              • Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
                                              • Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\outsplendour\urite\Afstbende71.Ree

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):179580
                                              Entropy (8bit):7.586600962489968
                                              Encrypted:false
                                              SSDEEP:3072:WTvPQ5RnOOlse0CDgsSofQNqutlixKB+dYhwgW9oyGvWO5gMkdn:JOospCkrofmqutlixKB+dYOoyGvWOMdn
                                              MD5:D508651AA12A4EA56E7A98AEF27CE2CD
                                              SHA1:F1B8E383B29140E51943D5F6B23788D1F94ED12B
                                              SHA-256:8F09D2BADC78BC1D290D56C2E88A0317C57232C7D780EE3975728E6AEF6E34FC
                                              SHA-512:94B99D977C6C67F6F7A9819D6EC44C0BA9031B9AAB84856B92D91E17160A0D6867017A7894D5ABD807BD9DC4765C7320F7EC3F616FFA3D7A93C22308F9FC1BD6
                                              Malicious:false
                                              Preview:tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt

                                              C:\Users\user\AppData\Local\outsplendour\urite\Ingirt\Brandmands51.has

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):10972
                                              Entropy (8bit):4.892382175452858
                                              Encrypted:false
                                              SSDEEP:192:XyK9IqhE+2QhmCRCB25juJbLHtRkBJSi0u3m7nolq:X7Xh40mCwB2u3sii0u0olq
                                              MD5:E0793D711445D7E23F4BF69AD2A0A681
                                              SHA1:625855A515D5D0EBCED8427DFD458610E4246992
                                              SHA-256:340C748D418A36BC4A555D2B06092FB41FB725B039A364C97C1EABD7EF50AE43
                                              SHA-512:2408AB5E5E1EE1A4D0F0A24FC97FB9073C329FADB0DA45A492DA11F9C82B52040C2AF7353DB43F435E324D5FD18DD05F77F743D3CC8720C098A97DF5EDBA16CD
                                              Malicious:false
                                              Preview:..........1......5.....Y.9..L......P...t.=...i...J....S......5.......^..........................(............................v.....s .......h............&..O........................\...S........q`!.................!...+....(...f.....M.....7...............*....E....C.N.....{..u...].h?...............j..............7..2!........36b..............ep.........?.....5...................r.~.............'h..g..........,.....{.....r.q.-...........ZH.0.o..................B.......'..}m.Q.f...C....My.y...M......j..................j....2...z].^}......u$...x....7....#{..........M0].n..x......=J..A...Ql..g..B......c.A............[.;...T.........jO1......S...........Z.7.2..o.G.........,..&...................................g...........&..-.N..........Y...y...Y.....Y..............k"............._..P.B.....2.<.$...%.....XB........o.........#........................,.....$I......An.........]...Fz..@..6O=C0.....Z..........dq.z....s..'.....0.........+...%....._....}...........M.0...........t..2.

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Byggeforeningerne.for

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1593
                                              Entropy (8bit):4.7827969913861095
                                              Encrypted:false
                                              SSDEEP:24:b2AXtJt6jnNT9OlGUJoRugPF9acO2QqA3hmRk1KnR+sjI0RAW9RqOw5FMHGcacn:iAXDt6DNxOA9RFPzlgqiQn5kW9hwHh+
                                              MD5:1A4CA94F39ADCBD05E127607CC9993A0
                                              SHA1:1C6249E76B3DD5315B2A3DFBBC1E02DFBF754E47
                                              SHA-256:FC840AA82122EB9EEC1D032D25104F8C9BFBFE1671BF6A268841A53967312041
                                              SHA-512:21FF66988075EFD4F15EF001BED597CBB37791721F55CEA55140ECB9B95F51E64D6A248D8E5677595EA1AF1B62A0EAD54584264D5211798F4141A43CEE1525E9
                                              Malicious:false
                                              Preview:.u..u.........o+.o.rQ.......zJ$Y..5....T..1.h.....9F.....#...^...2....N............C.t..(.r.8............X.I.{..Z.........O..i...&.a...,..................6~....el....h...........F...`.....`.....................K.................O..............w)..~................./....a.r......m....U[.h....................'........D........M..b..........R.......................:.....X.......-.8.:...@...@.....;P..B....x.x...........P.....}.Rs]......5[...................nn.|..C...g...........9........Vb....G........%../...j........9.......H..EX......s.J........'..........................8..........+f.3...?........."....Y...#...%......\........5.....\.k.............,.,.......w&.y.C...:U......7w.....A...U.FO........m.............K......*O...............T...........:... ...)X........]..x......f..@.z.......*....`...;..F.,^=8........J...........8.........!...z...D...Q.....U.f..........'............p.........3.................v.]q....e."g....\.........^O...)......................~_....E..t........

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Newzealnderes124.Wre

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):66454
                                              Entropy (8bit):2.6505675140392255
                                              Encrypted:false
                                              SSDEEP:768:nYIcbQhbWVEEETQxeGW5JH23QW1MBqrm8IyKSIvBUwEE9fn76EmXiYNZLWgEE6g9:8QJJqrm8hIvBB6tPN5ugQ7BG
                                              MD5:661EF505F13B3D5B94B6932ED07CE750
                                              SHA1:0B706939893F0560689C0BFA55C7EA819DD2B059
                                              SHA-256:8BA0D924AF347AF6388A5435F9EFA4409C352502E51A49BCAAB7C92E11E9CEEC
                                              SHA-512:9FC5FEB28C412B411A0A07EF219F69415BB21A6288077106ABA67E8F9C288636DABBEEC6B2DCE93A9C0F4DF80DA6AAEEAE6B8464C5B679B73A04CEBFF2A1E405
                                              Malicious:false
                                              Preview:00007D0000007F0000AC00FD005757008D006100B7B7B7B7B7B7B7B7B700A000009D000000F6F6F6F600CB00008F00C10049494949490091000091910051000000001F1F0000000000BDBD0000D3D3D300222222222222222200EFEFEFEF000000A8008A000024000B0000D100008282006666000000A4A4A40000B500C10081000000000000000000000000040404040400B1B1004D4D006E6E6E0083000000000024000500680000005A0000D8D800000023000F0000006C000000000000E3000000CE009F9F0000000B00545400D0006F6F6F6F6F0062626200C000000000005400707000D4D40000DE000000000000B1B1B1B1000074747474000000009E00B700003030000000B1008200006C6C0000000000005900004900BBBB000072720000D600AE00BE00006200002D00F2002300000042000000FA000000000000009292004D00000000000000004800D0006262008A00818100FD000000D1D1000000007272000027000000002D2D2D007C7C003C3C3C00FDFD00E500ADAD0000000000F7F7F7000061000000000000000066660000D6003100000000C30000008A0000004300007000A6002020006E004C0000D200008A8A00000087000D0000FFFF0000B8B8B8B8B8B8B800000009000000005A00790025000000D700490000F0000000005800009A00008700006F0000A2A200

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67\styknumre.por

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):6952
                                              Entropy (8bit):4.884923989192729
                                              Encrypted:false
                                              SSDEEP:192:WLwMpWNgncchv7F5XymzLsRRTdCVfPnhw:+zpaP2vfXyEsbdCdPn2
                                              MD5:8C001DE6006342839D659DD9F4CEED6C
                                              SHA1:9CA07429FE6EB3361B410259342E1AFF3760662B
                                              SHA-256:C38D73BF73394459CEFB655A178D65C4EFC982AACC568151B58C53A9428A4CE8
                                              SHA-512:AB14D2372A08B0B3D8AEFD8DD3679CF51DA00563741B1B3D5480FEE7A84AA072F5BB9547717AEB41B3A1ACE550A93E934177E7394D1782505A86CB5D9C5979D6
                                              Malicious:false
                                              Preview:..1...........<.5....Er...k.......n..../........ ............).....K..`.Z.....s..q.Y......../..v../....u,..#&...<.....1........2..>.Z..1..(g..I......-?.;........q......:.;.....W5.c._......8F......0..#.D.......1..\..==..................6.........L............f..........9..h..........:.N....N....................#.....uJ...]....j.....Z.-..R... ..!...........b..>......f...V............:v..?.?^........M...G.]...x.....w...p.Y....................."...z...=......:i...T...l...v....................../.....N....{|.}.....\.s...........1...V..x....V!O...T....X...Am................d........b..._..........................................[5.......b.v...........}.......e......K...u.$.C.....l..........-.u...M..K..p.....)........Z...M....wR..Q..8.:."....A....&p..c.............=........h..............`....w.....F.(..........&.....g.......Z..f;....Z..d......Y...k......... .......=......#......[.....s..e..........0..........Y..g*..........0..x.....u...I.....&..]..h...@...]...........5P.....^i.......

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67\suspend.unh

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8188
                                              Entropy (8bit):4.984630631981175
                                              Encrypted:false
                                              SSDEEP:96:RDq3NihxmhrRyHl7kw6ONznzGdpc+oViKcXddk0UWHLXw1WWUuWl8yVaPz3g:R2cmCFUONTzGLoVUX3L3H77ta3g
                                              MD5:78AEF8A8B0425EA50D018A0A0A00407F
                                              SHA1:75CBF326AAF381449343AB34E7B9B6D151BF6632
                                              SHA-256:6C85C6EAA06602968F61999D902B8434AF8353F64F50329C1E8A4100E6734384
                                              SHA-512:34C2399709870EF0406299D5EFC51A3A6E222A763FC9DF0E794A6C1F5D79F0834D862D8B14BEAB52C8ADEA26A5029DA2D5533F8C673E769BB3C760630FF4F3C4
                                              Malicious:false
                                              Preview:;.0.....N.....g....w...P......B0......}I..$c.}.......#...m......Z..........Q.....j........8..1..?.U..v...........D......zm............`..... .....C._............u..7............ef_...`v).........~..!.......l..j~Z..q.6.......:...............B.x"|..R. .....%...1....c..|4.......4.......q7...9T....r..$..H..{.......7.O..........8....;....s.X....+.....r..Q..t........5....d.v........a...=....P9S.........l..y'....&..................%...*..7.*...Q.....G...P.x..H............+...........a.......^....j.8.......m....T.8.8.....Y.......+I.H.....e...........>.......`...........c.r..%........b.............i..........o...N./.w..........(.......[.......M.."..`........w..Y........PL.......L......................S........._...|.i.?i~.M................^.4........+.'.......................)..j..............)....}.........."..k..........D......L.D......................w..s.........z%..0........;.........N..............O..w....!^.d..$.........%.......R....y.......z.......E.........g..Ad.......1.....

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67\udlaansrenten.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):407
                                              Entropy (8bit):4.186911394455087
                                              Encrypted:false
                                              SSDEEP:6:CHreC6uMP8pWM9LgtpEMhEhOAIEWtw48ITxakAoWSASnu+E5SP5rt:CH6Tdw19yBMABadExakAonF85Ct
                                              MD5:7737810DEB8E7F00B5CE121EEB189BCB
                                              SHA1:AD3C8C01DF6557FF6D425C5DDD6D25E5D111A045
                                              SHA-256:4D6F4DE1AB65601030F536223F8A38DB16FBADBA9FC376332ABE9F352F86D191
                                              SHA-512:77DECB08D6404699BC7201D5489087D215B65A35DE67CB7888ED22EEAEBD0FF866E314F940F5344E9DA8254B7755616D3D3EDABB1E44B0A3067B4BEC0527BEF0
                                              Malicious:false
                                              Preview:negligerer unslumbering trylletaster avlingers linjetllernes spaaedes,rejselotteriets mesocaecal konklusionerne paatage varmeovn sljdens armilla uninformatively gleesomeness..beskeler pinnywinkles fremtidsbyerne eksproprieringsplaner mellemkomsts afflated..underdealing turboventilator fauster.udslgendes collaborativeness rearisen aabningstalerne angie mortensen natklubberne,landzoneloven frowzled anapst.

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67\versiculus.fly

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8588
                                              Entropy (8bit):4.888629932145179
                                              Encrypted:false
                                              SSDEEP:192:rMLE0UFUzJTwLJPW11HT2Vb+unZev3NulS69ESBn37o3Q:N0ygJTwRwT2h3svCvJBnD
                                              MD5:E72E4DA0C887E3F827B738F35E0482EC
                                              SHA1:257D468DC970555ABECFF7B05FD696ABDF6A7D40
                                              SHA-256:7C8DA843782B56378C86B6DD3375900E26B2C65DD70CA92CA2825817CE3C8424
                                              SHA-512:AEB104FD5B71E2C850F0F765E06C15A185B44FFAE6419E2047FCEAD27AEF5B158ED41DCC6F30CD8D377F751F845572597DF0C903B2A49D6CC6B5A389D3F6CB40
                                              Malicious:false
                                              Preview:.......j......D..^.......#.....{...W.....h......u...".....l.....m.?........+.........4.~....u(.]..P..........z.q.O........2...{......Y..L..v._.........].....P...`......A..............E....E.b.....Q.!...G.......9..M.P....!....#....2h........M.r......[... tKl...1.}.V.......U...........r[.0...g........d..,.i\{........._......3o.....q.B......L.....1...(...h..y...+[...-......0.2./.0..Lp.......J$W.........F......w.....g...".........[..Q...R.....!.@...........5.....`.|.....}....b,..q.........R~+..........y.....f....PM...D.....t..w/c+..s.].../.........>%.!...Y.Hu..L.............)...$....,\Z=..................f.....1.L.....i..........I.(.z.._..V.^...".....3...............@..L.+c...6\.....!............x...o.|.,.................q...Q......|..n.....9.....(...a.N...B....5........Y<......La..J].....`.....m.x....F.............................H....[....f.....Y........z...@.{....&*....S.......6.............A;.........!.......c............B.r.>......j........U.........L....Q.......M......R...

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67\zoomanias.reb

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):12304
                                              Entropy (8bit):4.929043817018574
                                              Encrypted:false
                                              SSDEEP:192:shTgoifXw8BGeup9Ymc6q/XRxZoQyWKjjI+4iUpZP7tOpSgIo/uunP6QLFx:shbigf7Ymj+ZT9KAs6vOWuPBL3
                                              MD5:E5FF5853BB7E5F30F19224B4B4BC7C0A
                                              SHA1:68493998A1960EBF37F3D96785356698B8113B08
                                              SHA-256:9DACE326D0608440D7103A035D1E4FA5398AC900CD2E7FBF059E0E5E04251649
                                              SHA-512:E654B7B95DDF8A07DE8422C4580DE51F08D7FCBDCB843DD1744C8CE9403AF6185533654320F7EE0F90EFB72EA696CBE93014A06FED513B14F259B8A4CB52172E
                                              Malicious:false
                                              Preview:............\..5..5...S.....s..{....J....$#...........)....Q.I.Q....Z.@@.....Xt..k.+........a....&..\.......3................Hp.......@...r........9.....}q.............,..H...............b..t...&{!.....>.....z....{................e!.....k.................X.................7..I...g....7....................-l...{..Q...e..].E.....,<...}.........7.=.!..Ig.....i...k.b~........................:......3).._...,x......?.I.......#.>...........@....,.s.,...g.......... ....}..z..........-..................&...y)h...x..x............./8.........N...Z...G........;.....2A...B.Y........+F..............R......L...........%p.....%. 6.p...{..W.......................:..H...v.......w.......P.~.,.....s..|...m..........[....c.......t...k......U........;........i........$.........q...%.............g...........H.o..........0.y.................\;^.Q/..._........@..O.x.......W....J{../...I...,............................f....v.}U.sbN....2....;..5.................VT.....5.....A.................|.6.........

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\aka.uom

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):9832
                                              Entropy (8bit):4.90925380839641
                                              Encrypted:false
                                              SSDEEP:192:HnR06jz+VjB9QBI/H2YcXvdQfYF+KK1ZC5AzRwjDKrb2z5AH:HnRyV99cIvelFPKKAzRD
                                              MD5:12B0BCE3AE0573AE1276CD87F0709898
                                              SHA1:57CDCEB9E98CB606D25371FCB8A4903C556D7733
                                              SHA-256:279A405D723F09D5453D71C6C76F1C3A3B792EDB9D1D1EC3D82D66A60A63CD40
                                              SHA-512:1493904679F5E9E0708AA38F884EAFC8799EDD53FB0BDF53578F25CE50AD387BEA89E113C1918D8455FEF552F7740AC9EAB8ABDA422EC69EAEC0FB412EEE2F5D
                                              Malicious:false
                                              Preview:..j.....R.............Z.;.....6............l...............W.............$o.c.......V....Z.....$.........tc.................................i.... ..L?JQ...e...k.....G..UZ2...........I........G...k.........g..................Nq...Wb.....@....Y.......<...........j....D.\.....p.B..j......$.m.o.)..........w..........^..m..'....6............S..........A........GF...y..$...5F.E...?Du.........G...U......o...........#............C....4?......l...k.j.......l...../......(..8...#.................G......2.....vx......$......................b-..#...'..... ..d!..j.2....`z.g.H.H........5..../L.......q.............8..........$`1..6...~g.....\...F.....p.........Z.S.<C ..9..~.0.w........=....%.N....h.....`....Q.+......Y..........NP..."................r.&.......W.....h......B..........3...>.T.`.......................'.......:..f..S....=p.s.=Z...d..kx.....x\..1V...S.A.....`..n:.....G....=....LRv.........8.....W..#J..........r........n.1...|.`.........................F..H...c..../..6.............

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\corozos.pro

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):12014
                                              Entropy (8bit):4.886352020865119
                                              Encrypted:false
                                              SSDEEP:192:jTmZZAK4ucJLU4AN9o4R2Ax0cWcqfNPxXa/brhXgzKkhyOFy5KTp/1Lfqofi:jCZm7NRU4g5CzcqfNtU2NhyOIKp/1zqn
                                              MD5:418734ED4634DE7787643A60EA1C8F10
                                              SHA1:AC64409F656F7110C7FCF1987C92DAE67DA5189B
                                              SHA-256:C5021D2B81E9352A27CD57CB3F1C94644CCD5E942A94D42F7533980393653B08
                                              SHA-512:F320C0BEA3835DE1E91C77135EA8B218617D929661D1A666C45DB5A6DF371A439A2E23C6FD16671FB99495BE250B2ACA64B0749A20D831EB2350B680300A5022
                                              Malicious:false
                                              Preview:!.....O#.v...............*.."+...........m...."....5T.i..9.....4..8...T.j./`6...b.....<......_...\......C.......-X.]..._...=.&..-[.......3.......t...g..........^.O.)-....w..E.".n...../......!.sc.....u......5.....j...t.-.....N......N...m.b............j................*.n....K.....7.'.3.....K....$....M.`...e.{........v.....d.dE.Sk...+.w......]2.........`....M.....u.M_...y.........H..#0......i.........].......,......S...n.....|P.6.;..............g.`...E.....$.I.................J...2......~nG.....a9.&.....,...........-....U9...1...l........L.._R.e.......AL...v.......}.......?Z..O...X.........LR.................X7....'...............I.Y_....K...............,.r...........+.._..~|...T....S...z..g...Io.M.Hp5...6Q.....9........ .....7..q..............m.n....]......67....of...........,...........o......]..7..x..K.....l............8.@.......o...c.>....L..........G......y......H..3.I....l.........Y....V........p.!......&..x,...............p..1.....{W.<......@../....z.................5.

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\dysens.for

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):10093
                                              Entropy (8bit):4.921304550843908
                                              Encrypted:false
                                              SSDEEP:192:DZ8rRF5ahaphjNo0D8isfxagfOzUZt5Dn6OnNeTQMpIXDiqFTJ6dd3UwJzB0KW:98FB20+tO0tnhn3MpITiqju/J2P
                                              MD5:9060008E461A11F15F9BDEE09706F2AC
                                              SHA1:F32FBA221B0465E653089E1102D909641DB4592C
                                              SHA-256:9A120EBD44CB869A97371818103EC064399E6CBE04089D0C8711FCEF98F1E2ED
                                              SHA-512:23E81C7955822F2D4D86E59D4DB76171FFBB8C17CAA722C2A080304BA6F2AEF61F5CE6C221F8828D3E7C231C8C83E34529BE9338321EF4F151DC980CA1E9A85D
                                              Malicious:false
                                              Preview:..p....... C.3.....M..q..3d...M.5.J.!...F.9Z...q...Qx.La..XJ..../..........@.........O.N...i<_..@...........N|w.1...lc...o....kfn.f..O.......ov......5.c...$>.q........!.....&!{........D.=....C......>~....U....{...........Z.I.$....N....?.....E........1....f........?...s........S............M...........<.................d..........%............~....o...........+]^.............2.....].!...F................W89.7..........^.....*.....t.8NF......@..Wke..........g............m.................=......9........A..........w........|..........X......F.....,.......>....t./......?...'......ZJZ..-6...&=........................&...... \...............P.....YW..K?O.......A.t...................t.....!.......#...$O...B.......1.............\.......v....................xl../..l.....b..9D}..p\k.H\......................r.'..z.....H........A........)........2.....Q...........?...Z...b...................<.....y......n%..&......4.D..&=...............q..~..............L...l...].!............Y.......

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\eugenics.sem

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):11275
                                              Entropy (8bit):4.942431684383429
                                              Encrypted:false
                                              SSDEEP:192:nAuaTg5xjp2K6DSBOn3yP1Ar91Jn+7FKVojZvcNMJQlutl/pK:nAFwL6De03yPm9pVo9vcNMJQlO/pK
                                              MD5:58085E9D57CBB196894651B435A4FCEA
                                              SHA1:A47092853C0A3AAE0B9423B2003FF7B0F8957A70
                                              SHA-256:94CE73AFED0065F579AD1AC5D19EF243E1B77446FFE24751FED28317F1578B8A
                                              SHA-512:C3DE1FCD063334E75A05996BCCE2BABB7D6634BD12719D25F29D085AE313A9473DEEC3D52319ABAB79F29CDD4B1664139FC7B2F5E99A9342845542EACACD39AF
                                              Malicious:false
                                              Preview:......>...2..Z.......\.....~{.......2......~.....9..h...d..O.............kS..2..$...II.I.......................*pG...............^eC.......C............6.......]......L.F....4...[.............`TY.I....)...Q{...'...t..M........u.'..1_......J.............s..]..P.............w........d.....7......{.........Nsc.....4....j..............)..............:...G.................L........g.......).8.....@....I...%....;...#7.#.G.Yk..........9.....}....R.................d+ZN...[.........S..........X........(...w...\.U.........a....za....~.......;.......O...........m................+..*......)..M,.....|n4....'h..........S.a..Qu...&....n.......,..3..0.#.@..p...'H....L.....q.....VXp.........../E........&.)......_...........J._.OJ....7........>.........m...E...............o..l3....t..../.QU.............l......`.{b......d.C...........n....R.qs.....~...0]..1*........*..........k....".`..t.%...... ......#..q7...lY...........f..XW..........6.....|.......v.]......R....._.(..>........d.v...........

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\naturbeskyttelsen.god

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2277
                                              Entropy (8bit):4.8720546744219755
                                              Encrypted:false
                                              SSDEEP:48:PCdrJOcv/Q/KFpuMOFkNvf2afRsRX6FpAa4dr67fx3:K9vI6TWQRAKzAa1rx3
                                              MD5:A6ECDF28D8D760E514B38D9B6F0C0484
                                              SHA1:3A5E930136BD8AF3355C0E0ABCA117C75EE08C38
                                              SHA-256:30B4447E0B81B9FD6F712A9F8530E1097C0A597BFCDC45C6A24960F31DF0BD01
                                              SHA-512:82E0B63671BC1E0A810B8EDFF5B05F68C9A0EB49E845434CAA2E4B7848CF86D48123F09E8A7F2524D6B626428EDCB810B2ABE4390E829D6D1160819F7E4884F2
                                              Malicious:false
                                              Preview:.......!...(...}..x.m.....<.....'...Y..........[..&.j...c...........].*..%........S.."..- .......:..4....D...E.....U-........".......oC.9....k.......2/...z...#................0.......7..F..O.v!.......%........\..........k........b..1)..........y....Y.>..#.................\...........nN.....f..........Q.........h{.m..v..D.X.]Q.........'..^.........#...]I..............3................V.<.Z2q.#...s.........s.b............Z.......h....@...6.....T..=.............J.z.F..r......x..._..................5..}.m...L.h........@h....G.......L.........x6.......[..........2...L....r<.>.w.1.w........y.......}1e..........|.d......)......e................@...6................J........M..m..pJ..^..m.4..............?....#)................k.......:....F..r..} ciy...E..h..E...........G.......W....{............c.@3..?....................(m..........x......J....8...............F.e7...U.........".....#.j.........]....L........Bas.........{.S.W.2[.............=........Y....1...........O..~......n..y...

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\opkrvningsgebyrer.met

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):10093
                                              Entropy (8bit):4.908874815539876
                                              Encrypted:false
                                              SSDEEP:192:XvFnwZwrcwIJJ8kQsSNTeW/dM/88oKT2RqNLkeU8QoHt:X8wIJNQ76SaxKRcQWQat
                                              MD5:69E5D2DAB77C9AC0FAD016A8CC132888
                                              SHA1:B80B8984AB6A92C42A6DAD69504E9AF4D6432334
                                              SHA-256:E0592100712DB5131F94AE72FCF2D4808023558293DBD6ACEB909E0A713A922E
                                              SHA-512:3EF2CD6257FB623737F5B19CFE0F801A0B03431FAF6909D709498B488EF795E072BB4613DBDDDB2E58BCB12D64F1695A676685AB8AE2BCADC0D621432EAD705A
                                              Malicious:false
                                              Preview:...\.. E..T.%............H.,.....-........'...........<.......c.....lIQ.....;...<.._.......................<...F.......2...........>......L[....(..................4...........Y.-.....?.9/..b............zj..5..&.....c.........M..h........,0..[.E......(.p......p......c......^.....;.0....E.n...S!...b..........u<.J../.......xv.....9#................~j...%.......S<..R......=[.C....~.........7.q..z..Y.......7....H...cp.....v......F...(...Jl...........eO..(."..........$.......z...E..3.................].........#....i.....v........c.Y....T.`........f..o.@....S...'..M...........V..6.......k............T.Y...5............r.....|Q....-...*...............k.....}...P.h.GTK..=.L....S.......5........M6...............T....A...{.....n..a)....V>..................S......0.......B..0.........HN.............9NU...z..................4..XV..I1.?........[f...P.9..w.......W,..a.Z..=.....<S.....M4..e.....u.........[..........+.|........J..........J..9...B...a....D...X..........tV.[...G....'..Q..5.P...

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\refinished.oro

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):8927
                                              Entropy (8bit):4.947192103826229
                                              Encrypted:false
                                              SSDEEP:192:TOCOnoHxdeGzvacRYUOmmHRZCzUIRPWskihdFgPXdbX:TuoRdeialUPWRI425SPJX
                                              MD5:3FF2675B3FE540E5406AE3A47F8E7E1C
                                              SHA1:8C94B6634DCF0CBFE15BD423511EB4B990CD07F3
                                              SHA-256:1BAB29AEB79F9447EF609C1A6152D6E052017A910A8E898970403096B8BED5B6
                                              SHA-512:0F91AF92E9FA06FFDC0149441F89ABD9E61CF78821437694B85A6986A4AE6A29ED701C5BB0F3E3D05F893B88BA2915EE40715C0A69B27D4E24DAAD26AFE4B1E7
                                              Malicious:false
                                              Preview:.:........4.K........NM[.......+......B......Q.[....;@..{.../.....jR........i...^Y.j.............>...P..Gm...?................T./...........Pl..'..:....b......Y...)....|....g.....$...........................R.....5.....6.... .............S...........................3.A.?.\.....F..........6..>........C..*....A...V..............m.....%W..?4...........s.....".....^...A.r...P...........N.8E..9.w.....+......Q........P.&..4.2..$......_!..........................oz.m.......n..U..1q......K......xV.?..."..C....d..A..I.........M..................E..........'.....u......+.............=........x_.......4....m.W...8.................._.....^I./G..........=..............=..........cF...... .. ...E'.6.Wvr...n...'9.....$.......7 {......F............._..P...M.....;..U.X..-.~.~..X(....-........D.......t......sG.....x\..........#.........'...lM.X...........a.t......]..*...8.+..U.G..v.....&.<|......_U...C.#....D...+.P..T....0...........+7...a........c...>...5..........#.R...........,<...\.

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\regrator.exo

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):14817
                                              Entropy (8bit):4.973842232000673
                                              Encrypted:false
                                              SSDEEP:384:ExQvLKa9w7TFCEY57YoEFCHmn/OCsQ5kSAnu:YQvLKa+TXYNbE6mnGQ0u
                                              MD5:9857B50710B21F13491FBD4B49CFE2A8
                                              SHA1:928C4B03C509E2743799D1499C4CC6FB5A272B68
                                              SHA-256:903B8858C451A31A068EAD95B9D476879D980B54928DF9BA9191FCF342755188
                                              SHA-512:61F75DA65396525670B3B9A59A26BC9D3D9A0F803F0AC6EFBCF0B6A4AE78F60774DEA6F249021A56E3DAA5DF86EED79DE49F108B781100737078A07E240FA734
                                              Malicious:false
                                              Preview:............1'...B......ad.........o.?T....l..........k.>..]_.(............b...B.......Bg....Y$.H.(.....X.o..U...........F........2...f....(....In...r.........."....@..*5*._.............&..D..m.r....T.R...........~../.y....O./.............U...2.....-...t......q.........w.@..#.L.$|.T......bN..8.....].)..................fo(v...........}................#....J..........=...]....W......K...O..W[.................R..X..........;k.0K.3..."m....I....a...6............"......k.A....."....O...X.M.....A.3.o.A....Z.E.............5..w.......a........................wl...'....].....b...<,....Jp..g.........K.....{K.........|...#...4..p.........t].....b...S....;.?...........8.......c.-.........f.......p........\.q.,`...........*....N;A...'..$........[.........R......P....q....................<.G.]zE......*...............s.......F..........>...~.......mN./.....W......Eip...^c....1...h....I..?..%k..............tL....m...x;.>....#.yw...H................\......H....3.a....J..........C..R.....

                                              C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\sammenstyrtningen.tha

                                              Download File
                                              Process:C:\Users\user\Desktop\WYnv59N83j.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):3610
                                              Entropy (8bit):4.851625868360139
                                              Encrypted:false
                                              SSDEEP:96:MJ3g/KzKjiuJ2pK2b0+2b/7tLbzt7OU6ueeb9eh:igCzqDJGlKzt/zoueuoh
                                              MD5:09A6BDBFA480990E803035FE0F160769
                                              SHA1:9B93F41DC69F063F418B04D2479E2A21A42C282B
                                              SHA-256:BA70E2856F8F8BA456C19A72D3AE9F8D85B02681C323315AD126836D1E3EDBBB
                                              SHA-512:E349E82A2EF40929EFF522A1C29B5AAF99F3857CE4858B68C9FD700BE657079042EAB84310536DD56A6455DB9005F1B04A9373B8A2EC13E7741961C38E5733C7
                                              Malicious:false
                                              Preview:.........~...s.O.t.......s......=0....?>F..v..w......Z.&.C...............x..."!....X........'.&....p............n....&..2..3..............=..P.......y...............................8..`....P.............'.......W.........D..[n..e....U....X.<....u..j.X..0*?e..........n....g>.S/....'.........!_3 ...........R....../m...Z..;............2....x.N.........nrm..*.}......+..7...L...........[......,...I........... ....M4.......m)d.......Q....0.H. ...2..f.........5.u..C..P.2-.+@)..].............wp...X......H....S.M$.wo.........s...R.0.iG.........O..............1....................7#.........R.8.....J.~.....j.......r............U..F5..`.......W...........l.W..........?.......#......M.s....P1...=........5.8.[....E...}..V.=......................f...}........................g.................l..|.....`...............,..^3........-....!c....y.....\.&1g................................:.........).......{.d.....]....3l..............?........<.....'........Z.....J.....F...^y.O........4.

                                              C:\Windows\INF\WmiApRpl\WmiApRpl.h

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3444
                                              Entropy (8bit):5.011954215267298
                                              Encrypted:false
                                              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                              MD5:B133A676D139032A27DE3D9619E70091
                                              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                              Malicious:false
                                              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                              C:\Windows\INF\WmiApRpl\WmiApRpl.ini

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):48786
                                              Entropy (8bit):3.5854495362228453
                                              Encrypted:false
                                              SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                              MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                              SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                              SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                              SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                              Malicious:false
                                              Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                              C:\Windows\System32\PerfStringBackup.INI

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):840878
                                              Entropy (8bit):3.4224066455051885
                                              Encrypted:false
                                              SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                              MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                              SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                              SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                              SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                              Malicious:false
                                              Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                              C:\Windows\System32\PerfStringBackup.TMP

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):840878
                                              Entropy (8bit):3.4224066455051885
                                              Encrypted:false
                                              SSDEEP:3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
                                              MD5:D3ED23A3E63ACA8CF656C585568DA6D7
                                              SHA1:1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
                                              SHA-256:AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
                                              SHA-512:21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
                                              Malicious:false
                                              Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

                                              C:\Windows\System32\perfc009.dat

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):137550
                                              Entropy (8bit):3.409189992022338
                                              Encrypted:false
                                              SSDEEP:1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
                                              MD5:084B771A167854C5B38E25D4E199B637
                                              SHA1:AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
                                              SHA-256:B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
                                              SHA-512:426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
                                              Malicious:false
                                              Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                                              C:\Windows\System32\perfh009.dat

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):715050
                                              Entropy (8bit):3.278818886805871
                                              Encrypted:false
                                              SSDEEP:3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
                                              MD5:342BC94F85E143BE85B5B997163A0BB3
                                              SHA1:8780CD88D169AE88C843E19239D9A32625F6A73E
                                              SHA-256:F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
                                              SHA-512:0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
                                              Malicious:false
                                              Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                                              C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3444
                                              Entropy (8bit):5.011954215267298
                                              Encrypted:false
                                              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                              MD5:B133A676D139032A27DE3D9619E70091
                                              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                              Malicious:false
                                              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                              C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):48786
                                              Entropy (8bit):3.5854495362228453
                                              Encrypted:false
                                              SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                              MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                              SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                              SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                              SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                              Malicious:false
                                              Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                              C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3444
                                              Entropy (8bit):5.011954215267298
                                              Encrypted:false
                                              SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                              MD5:B133A676D139032A27DE3D9619E70091
                                              SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                              SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                              SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                              Malicious:false
                                              Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                              C:\Windows\system32\wbem\Performance\WmiApRpl.ini (copy)

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIADAP.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):48786
                                              Entropy (8bit):3.5854495362228453
                                              Encrypted:false
                                              SSDEEP:384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
                                              MD5:DF877BEC5C9E3382E94FEA48FEE049AC
                                              SHA1:1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
                                              SHA-256:7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
                                              SHA-512:433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
                                              Malicious:false
                                              Preview:.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.78076704560717
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:WYnv59N83j.exe
                                              File size:307'814 bytes
                                              MD5:5a9432e169d09692069c5e29af0fb359
                                              SHA1:aec91bf20432f37270522dd6fff140f7a15bdbea
                                              SHA256:e96aa6bd5e526e99340594fadc6f64cec5763c1758371006ffa77c02827971a5
                                              SHA512:a575a3b39975241c0c9071772a0f7b91a02c42aa96bfe72ad4bd4d4374ab8b23142fc76d2dce93e5d5ce3f366b34f080fc95f8997b897fbba0f5a21dc630a265
                                              SSDEEP:6144:8Z/qRrG7nz0GwGLKYZfe4kkD/Q2GbL0UhaU+jwbxBKtDon:8BT7zTGYhe4/duL0UcJEutA
                                              TLSH:9E6412A236D454A7F5D149B468B293F8E3B7AF000821675B5F283F7B3D326B24523297
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L...s..V.................`...*.....

                                              File Icon

                                              Icon Hash:a5d56872428d9074

                                              Static PE Info

                                              General

                                              Entrypoint:0x40326a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x567F8473 [Sun Dec 27 06:25:55 2015 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:d4b94e8ee3f620a89d114b9da4b31873

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000002D4h
                                              push ebp
                                              push esi
                                              push 00000020h
                                              xor ebp, ebp
                                              pop esi
                                              mov dword ptr [esp+0Ch], ebp
                                              push 00008001h
                                              mov dword ptr [esp+0Ch], 00409300h
                                              mov dword ptr [esp+18h], ebp
                                              call dword ptr [004070B0h]
                                              call dword ptr [004070ACh]
                                              cmp ax, 00000006h
                                              je 00007F6BF4FE3EE3h
                                              push ebp
                                              call 00007F6BF4FE7026h
                                              cmp eax, ebp
                                              je 00007F6BF4FE3ED9h
                                              push 00000C00h
                                              call eax
                                              push ebx
                                              push edi
                                              push 004092F4h
                                              call 00007F6BF4FE6FA3h
                                              push 004092ECh
                                              call 00007F6BF4FE6F99h
                                              push 004092E0h
                                              call 00007F6BF4FE6F8Fh
                                              push 00000009h
                                              call 00007F6BF4FE6FF4h
                                              push 00000007h
                                              call 00007F6BF4FE6FEDh
                                              mov dword ptr [00429224h], eax
                                              call dword ptr [00407044h]
                                              push ebp
                                              call dword ptr [004072A8h]
                                              mov dword ptr [004292D8h], eax
                                              push ebp
                                              lea eax, dword ptr [esp+34h]
                                              push 000002B4h
                                              push eax
                                              push ebp
                                              push 004206C8h
                                              call dword ptr [0040718Ch]
                                              push 004092C8h
                                              push 00428220h
                                              call 00007F6BF4FE6BDAh
                                              call dword ptr [004070A8h]
                                              mov ebx, 00434000h
                                              push eax
                                              push ebx
                                              call 00007F6BF4FE6BC8h
                                              push ebp
                                              call dword ptr [00407178h]

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74bc0xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x50c8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x5ffa0x6000df2f822ba33541e61d4a603b60bbdbccFalse0.6675211588541666data6.472885474718374IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x13700x1400a10c5fabf76461b1b26713fde2284808False0.4404296875data5.0714431097950134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x203180x60045bc104aba688d708375b6b0133d1563False0.5084635416666666data3.9955723529870646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x2a0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x530000x50c80x5200426bb29050c5f87bd5f46d9e517e5ca2False0.18064024390243902data2.915223590153904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x532980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.10197095435684647
                                              RT_ICON0x558400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.17659474671669795
                                              RT_ICON0x568e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.21598360655737706
                                              RT_ICON0x572700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2703900709219858
                                              RT_DIALOG0x576d80x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0x577d80x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x578f80xc4dataEnglishUnited States0.5918367346938775
                                              RT_DIALOG0x579c00x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x57a200x3edataEnglishUnited States0.8064516129032258
                                              RT_VERSION0x57a600x328dataEnglishUnited States0.47029702970297027
                                              RT_MANIFEST0x57d880x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                              Imports

                                              DLLImport
                                              KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                              USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                              ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jun 6, 2024 13:41:11.704122066 CEST1.1.1.1192.168.2.50x46abNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                              Jun 6, 2024 13:41:11.704122066 CEST1.1.1.1192.168.2.50x46abNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:07:40:53
                                              Start date:06/06/2024
                                              Path:C:\Users\user\Desktop\WYnv59N83j.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\WYnv59N83j.exe"
                                              Imagebase:0x400000
                                              File size:307'814 bytes
                                              MD5 hash:5A9432E169D09692069C5E29AF0FB359
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4471682522.0000000006742000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:1
                                              Start time:07:40:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\dllhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                              Imagebase:0x7ff669820000
                                              File size:21'312 bytes
                                              MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x53^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x55^38"
                                              Imagebase:0x7ff6d64d0000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x43^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:07:40:58
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x15^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x75^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:07:40:59
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x49^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:24
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x51^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x71^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:28
                                              Start time:07:41:00
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:29
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:30
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x48^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:31
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:32
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x42^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:33
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:34
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x49^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:35
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:36
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x51^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:37
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:38
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:39
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:40
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:41
                                              Start time:07:41:01
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:42
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:43
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:44
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x11^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:45
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:46
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:47
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:48
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:49
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:50
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:51
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:52
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:53
                                              Start time:07:41:02
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:54
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:55
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:56
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4B^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:57
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:58
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x55^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:59
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:60
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x50^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:61
                                              Start time:07:41:03
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:62
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x45^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:63
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:64
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:65
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:66
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x52^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:67
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:68
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x08^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:69
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:70
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x42^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:71
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:72
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:73
                                              Start time:07:41:04
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:74
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:75
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:76
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:77
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:78
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:79
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:80
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x79^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:81
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:82
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x49^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:83
                                              Start time:07:41:05
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:84
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x56^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:85
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:86
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x43^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:87
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:88
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x48^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:89
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:90
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:91
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:92
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4B^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:93
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:94
                                              Start time:07:41:06
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:95
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:96
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:97
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:98
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x12^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:99
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:100
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:101
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:102
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:103
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:104
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:105
                                              Start time:07:41:07
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:106
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:107
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:108
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:109
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:110
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:111
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:112
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:113
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:114
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:115
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:116
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:117
                                              Start time:07:41:08
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:118
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:119
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:120
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:121
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:122
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:123
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:124
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:125
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:126
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:127
                                              Start time:07:41:09
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:129
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:130
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:131
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:132
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:133
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:134
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:135
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x17^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:136
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:137
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:138
                                              Start time:07:41:10
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:139
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:140
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:141
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:142
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:143
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:144
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:145
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x08^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:146
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:147
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:148
                                              Start time:07:41:11
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:149
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x13^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:150
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:151
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:152
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6068e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:153
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x6D^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:154
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:155
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x63^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:156
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:157
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x74^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:158
                                              Start time:07:41:12
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:159
                                              Start time:07:41:13
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x68^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:160
                                              Start time:07:41:13
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:161
                                              Start time:07:41:13
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x63^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:162
                                              Start time:07:41:13
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:163
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x6A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:164
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:165
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x15^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:166
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:167
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:168
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:169
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:170
                                              Start time:07:41:14
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:171
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:172
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:173
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x70^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:174
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:175
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:176
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:177
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:178
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:179
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x52^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:180
                                              Start time:07:41:15
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:181
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x53^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:182
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:183
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x47^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:184
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:185
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:186
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:187
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x67^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:188
                                              Start time:07:41:16
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:189
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:190
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:191
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:192
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:193
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x49^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:194
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:195
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x45^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:196
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:197
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x63^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:198
                                              Start time:07:41:17
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:199
                                              Start time:07:41:18
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:200
                                              Start time:07:41:18
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:201
                                              Start time:07:41:18
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:202
                                              Start time:07:41:18
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:203
                                              Start time:07:41:18
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:204
                                              Start time:07:41:18
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:205
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:206
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:207
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0B^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:208
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:209
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x17^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:210
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:211
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:212
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:213
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:214
                                              Start time:07:41:19
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:215
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:216
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:217
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:218
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:219
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:220
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:221
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:222
                                              Start time:07:41:20
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:223
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:224
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:225
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:226
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:227
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x13^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:228
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:229
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x17^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:230
                                              Start time:07:41:21
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:231
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:232
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:233
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:234
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:235
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x15^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:236
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:237
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:238
                                              Start time:07:41:22
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:239
                                              Start time:07:41:23
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x11^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:240
                                              Start time:07:41:23
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:241
                                              Start time:07:41:23
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:242
                                              Start time:07:41:23
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:243
                                              Start time:07:41:23
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:244
                                              Start time:07:41:23
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:245
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:246
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:247
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:248
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:249
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:250
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:251
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:252
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:253
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:254
                                              Start time:07:41:24
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:255
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x15^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:256
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:257
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:258
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:259
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:260
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:261
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:262
                                              Start time:07:41:25
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:263
                                              Start time:07:41:26
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:264
                                              Start time:07:41:26
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:265
                                              Start time:07:41:26
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:266
                                              Start time:07:41:26
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:267
                                              Start time:07:41:26
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:268
                                              Start time:07:41:26
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:269
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:270
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:271
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x10^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:272
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:273
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x12^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:274
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:275
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:276
                                              Start time:07:41:27
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:277
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x56^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:278
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:279
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x08^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:280
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7e52b0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:281
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:282
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:283
                                              Start time:07:41:28
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x12^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:284
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:285
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:286
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:287
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4B^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:288
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:289
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x55^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:290
                                              Start time:07:41:29
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:291
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x50^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:292
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:293
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x45^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:294
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:295
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:296
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:297
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x52^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:298
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:299
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:300
                                              Start time:07:41:30
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:301
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:302
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:303
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x79^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:304
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:305
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:306
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6a5670000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:307
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x55^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:308
                                              Start time:07:41:31
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:309
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x43^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:310
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:311
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x43^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:312
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:313
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4D^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:314
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:315
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:316
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:317
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:318
                                              Start time:07:41:32
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:319
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:320
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:321
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:322
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:323
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x13^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:324
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:325
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:326
                                              Start time:07:41:33
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:327
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:328
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:329
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:330
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:331
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:332
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7ae440000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:333
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x11^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:334
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:335
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x17^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:336
                                              Start time:07:41:34
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:337
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:338
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:339
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:340
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:341
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:342
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:343
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:344
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:345
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:346
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:347
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:348
                                              Start time:07:41:35
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:349
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:350
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:351
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:352
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:353
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:354
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:355
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:356
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:357
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x08^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:358
                                              Start time:07:41:36
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:359
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:360
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:361
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x11^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:362
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:363
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:364
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:365
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4B^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:366
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:367
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x55^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:368
                                              Start time:07:41:37
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:369
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x50^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:370
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:371
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x45^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:372
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:373
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:374
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:375
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x52^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:376
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:377
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x08^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:378
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:379
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x42^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:380
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x450000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:381
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:382
                                              Start time:07:41:38
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:383
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:384
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:385
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:386
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:387
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:388
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:389
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                              Imagebase:0x7ff7e52b0000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:390
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\wbem\WMIADAP.exe
                                              Wow64 process (32bit):false
                                              Commandline:wmiadap.exe /F /T /R
                                              Imagebase:0x7ff6e57e0000
                                              File size:182'272 bytes
                                              MD5 hash:1BFFABBD200C850E6346820E92B915DC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:391
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x79^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:392
                                              Start time:07:41:39
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:393
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:394
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:395
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x43^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:396
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:397
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x47^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:398
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:399
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x42^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:400
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:401
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:402
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:403
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:404
                                              Start time:07:41:40
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:405
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:406
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:407
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:408
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:409
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x13^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:410
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:411
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:412
                                              Start time:07:41:41
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:413
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x7ff757150000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:414
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:415
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:416
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:417
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:418
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:419
                                              Start time:07:41:42
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:420
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6bcc30000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:421
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x12^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:422
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:423
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:424
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:425
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:426
                                              Start time:07:41:43
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:427
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:428
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:429
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:430
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:431
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x13^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:432
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:433
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x17^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:434
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:435
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:436
                                              Start time:07:41:44
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:437
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:438
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:439
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x15^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:440
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:441
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:442
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:443
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x11^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:444
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7e52b0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:445
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:446
                                              Start time:07:41:45
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:447
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:448
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:449
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:450
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:451
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x53^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:452
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:453
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x55^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:454
                                              Start time:07:41:46
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:455
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x43^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:456
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:457
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:458
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:459
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x15^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:460
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:461
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x14^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:462
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:463
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:464
                                              Start time:07:41:47
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:465
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x1C^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:466
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:467
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x65^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:468
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:469
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x47^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:470
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:471
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:472
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:473
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:474
                                              Start time:07:41:48
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:475
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x71^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:476
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:477
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:478
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:479
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x48^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:480
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:481
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x42^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:482
                                              Start time:07:41:49
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:483
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x49^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:484
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:485
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x51^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:486
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:487
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x76^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:488
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:489
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:490
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:491
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x49^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:492
                                              Start time:07:41:50
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:493
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x45^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:494
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:495
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x67^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:496
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff67e650000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:497
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0E^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:498
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:499
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:500
                                              Start time:07:41:51
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:501
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:502
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:503
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x54^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:504
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6bcc30000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:505
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x12^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:506
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:507
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:508
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:509
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:510
                                              Start time:07:41:52
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:511
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:512
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:513
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:514
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:515
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:516
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:517
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:518
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:519
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:520
                                              Start time:07:41:53
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:521
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:522
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:523
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:524
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:525
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:526
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:527
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:528
                                              Start time:07:41:54
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:529
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:530
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:531
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:532
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:533
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:534
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:535
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0A^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:536
                                              Start time:07:41:55
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:537
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:538
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:539
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x4F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:540
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:541
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x06^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:542
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:543
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x16^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:544
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:545
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x0F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:546
                                              Start time:07:41:56
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:547
                                              Start time:07:41:57
                                              Start date:06/06/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd /c set /a "0x5F^38"
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:548
                                              Start time:07:41:57
                                              Start date:06/06/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:21.1%
                                                Dynamic/Decrypted Code Coverage:13.7%
                                                Signature Coverage:20.8%
                                                Total number of Nodes:1545
                                                Total number of Limit Nodes:46
                                                execution_graph 5093 402840 5094 402bbf 18 API calls 5093->5094 5096 40284e 5094->5096 5095 402864 5098 405bcf 2 API calls 5095->5098 5096->5095 5097 402bbf 18 API calls 5096->5097 5097->5095 5099 40286a 5098->5099 5121 405bf4 GetFileAttributesW CreateFileW 5099->5121 5101 402877 5102 402883 GlobalAlloc 5101->5102 5103 40291a 5101->5103 5106 402911 CloseHandle 5102->5106 5107 40289c 5102->5107 5104 402922 DeleteFileW 5103->5104 5105 402935 5103->5105 5104->5105 5106->5103 5122 403222 SetFilePointer 5107->5122 5109 4028a2 5110 40320c ReadFile 5109->5110 5111 4028ab GlobalAlloc 5110->5111 5112 4028bb 5111->5112 5113 4028ef 5111->5113 5114 403027 36 API calls 5112->5114 5115 405ca6 WriteFile 5113->5115 5116 4028c8 5114->5116 5117 4028fb GlobalFree 5115->5117 5119 4028e6 GlobalFree 5116->5119 5118 403027 36 API calls 5117->5118 5120 40290e 5118->5120 5119->5113 5120->5106 5121->5101 5122->5109 5123 10001000 5126 1000101b 5123->5126 5133 10001516 5126->5133 5128 10001020 5129 10001024 5128->5129 5130 10001027 GlobalAlloc 5128->5130 5131 1000153d 3 API calls 5129->5131 5130->5129 5132 10001019 5131->5132 5135 1000151c 5133->5135 5134 10001522 5134->5128 5135->5134 5136 1000152e GlobalFree 5135->5136 5136->5128 5137 401cc0 5138 402ba2 18 API calls 5137->5138 5139 401cc7 5138->5139 5140 402ba2 18 API calls 5139->5140 5141 401ccf GetDlgItem 5140->5141 5142 402531 5141->5142 5143 4029c0 5144 402ba2 18 API calls 5143->5144 5145 4029c6 5144->5145 5146 40281e 5145->5146 5147 4029f9 5145->5147 5149 4029d4 5145->5149 5147->5146 5148 406041 18 API calls 5147->5148 5148->5146 5149->5146 5151 405f66 wsprintfW 5149->5151 5151->5146 4006 401fc3 4007 401fd5 4006->4007 4017 402087 4006->4017 4029 402bbf 4007->4029 4009 401423 25 API calls 4013 4021e1 4009->4013 4011 402bbf 18 API calls 4012 401fe5 4011->4012 4014 401ffb LoadLibraryExW 4012->4014 4015 401fed GetModuleHandleW 4012->4015 4016 40200c 4014->4016 4014->4017 4015->4014 4015->4016 4035 406464 WideCharToMultiByte 4016->4035 4017->4009 4020 402056 4083 40517e 4020->4083 4021 40201d 4022 402025 4021->4022 4023 40203c 4021->4023 4080 401423 4022->4080 4038 10001759 4023->4038 4026 40202d 4026->4013 4027 402079 FreeLibrary 4026->4027 4027->4013 4030 402bcb 4029->4030 4094 406041 4030->4094 4033 401fdc 4033->4011 4036 402017 4035->4036 4037 40648e GetProcAddress 4035->4037 4036->4020 4036->4021 4037->4036 4039 10001789 4038->4039 4133 10001b18 4039->4133 4041 10001790 4042 100018a6 4041->4042 4043 100017a1 4041->4043 4044 100017a8 4041->4044 4042->4026 4182 10002286 4043->4182 4165 100022d0 4044->4165 4049 1000180c 4055 10001812 4049->4055 4056 1000184e 4049->4056 4050 100017ee 4195 100024a9 4050->4195 4051 100017d7 4064 100017cd 4051->4064 4192 10002b5f 4051->4192 4052 100017be 4054 100017c4 4052->4054 4060 100017cf 4052->4060 4054->4064 4176 100028a4 4054->4176 4062 100015b4 3 API calls 4055->4062 4058 100024a9 10 API calls 4056->4058 4065 10001840 4058->4065 4059 100017f4 4206 100015b4 4059->4206 4186 10002645 4060->4186 4063 10001828 4062->4063 4068 100024a9 10 API calls 4063->4068 4064->4049 4064->4050 4071 10001895 4065->4071 4217 1000246c 4065->4217 4068->4065 4070 100017d5 4070->4064 4071->4042 4073 1000189f GlobalFree 4071->4073 4073->4042 4077 10001881 4077->4071 4221 1000153d wsprintfW 4077->4221 4078 1000187a FreeLibrary 4078->4077 4081 40517e 25 API calls 4080->4081 4082 401431 4081->4082 4082->4026 4084 405199 4083->4084 4085 40523b 4083->4085 4086 4051b5 lstrlenW 4084->4086 4087 406041 18 API calls 4084->4087 4085->4026 4088 4051c3 lstrlenW 4086->4088 4089 4051de 4086->4089 4087->4086 4088->4085 4090 4051d5 lstrcatW 4088->4090 4091 4051f1 4089->4091 4092 4051e4 SetWindowTextW 4089->4092 4090->4089 4091->4085 4093 4051f7 SendMessageW SendMessageW SendMessageW 4091->4093 4092->4091 4093->4085 4099 40604e 4094->4099 4095 406299 4096 402bec 4095->4096 4128 40601f lstrcpynW 4095->4128 4096->4033 4112 4062b3 4096->4112 4098 406101 GetVersion 4098->4099 4099->4095 4099->4098 4100 406267 lstrlenW 4099->4100 4103 406041 10 API calls 4099->4103 4105 40617c GetSystemDirectoryW 4099->4105 4106 40618f GetWindowsDirectoryW 4099->4106 4107 4062b3 5 API calls 4099->4107 4108 4061c3 SHGetSpecialFolderLocation 4099->4108 4109 406041 10 API calls 4099->4109 4110 406208 lstrcatW 4099->4110 4121 405eec RegOpenKeyExW 4099->4121 4126 405f66 wsprintfW 4099->4126 4127 40601f lstrcpynW 4099->4127 4100->4099 4103->4100 4105->4099 4106->4099 4107->4099 4108->4099 4111 4061db SHGetPathFromIDListW CoTaskMemFree 4108->4111 4109->4099 4110->4099 4111->4099 4113 4062c0 4112->4113 4115 406329 CharNextW 4113->4115 4118 406336 4113->4118 4119 406315 CharNextW 4113->4119 4120 406324 CharNextW 4113->4120 4129 405a00 4113->4129 4114 40633b CharPrevW 4114->4118 4115->4113 4115->4118 4116 40635c 4116->4033 4118->4114 4118->4116 4119->4113 4120->4115 4122 405f60 4121->4122 4123 405f20 RegQueryValueExW 4121->4123 4122->4099 4124 405f41 RegCloseKey 4123->4124 4124->4122 4126->4099 4127->4099 4128->4096 4130 405a06 4129->4130 4131 405a1c 4130->4131 4132 405a0d CharNextW 4130->4132 4131->4113 4132->4130 4224 1000121b GlobalAlloc 4133->4224 4135 10001b3c 4225 1000121b GlobalAlloc 4135->4225 4137 10001d7a GlobalFree GlobalFree GlobalFree 4138 10001d97 4137->4138 4157 10001de1 4137->4157 4139 100020ee 4138->4139 4148 10001dac 4138->4148 4138->4157 4141 10002110 GetModuleHandleW 4139->4141 4139->4157 4140 10001c1d GlobalAlloc 4161 10001b47 4140->4161 4143 10002121 LoadLibraryW 4141->4143 4144 10002136 4141->4144 4142 10001c86 GlobalFree 4142->4161 4143->4144 4143->4157 4232 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4144->4232 4145 10001c68 lstrcpyW 4146 10001c72 lstrcpyW 4145->4146 4146->4161 4148->4157 4228 1000122c 4148->4228 4149 10002188 4151 10002195 lstrlenW 4149->4151 4149->4157 4233 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4151->4233 4152 10002148 4152->4149 4164 10002172 GetProcAddress 4152->4164 4153 10002048 4156 10002090 lstrcpyW 4153->4156 4153->4157 4156->4157 4157->4041 4158 10001cc4 4158->4161 4226 1000158f GlobalSize GlobalAlloc 4158->4226 4159 10001f37 GlobalFree 4159->4161 4160 100021af 4160->4157 4161->4137 4161->4140 4161->4142 4161->4145 4161->4146 4161->4153 4161->4157 4161->4158 4161->4159 4162 1000122c 2 API calls 4161->4162 4231 1000121b GlobalAlloc 4161->4231 4162->4161 4164->4149 4172 100022e8 4165->4172 4167 10002415 GlobalFree 4171 100017ae 4167->4171 4167->4172 4168 100023d3 lstrlenW 4168->4167 4175 100023de 4168->4175 4169 100023ba GlobalAlloc CLSIDFromString 4169->4167 4170 1000238f GlobalAlloc WideCharToMultiByte 4170->4167 4171->4051 4171->4052 4171->4064 4172->4167 4172->4168 4172->4169 4172->4170 4173 1000122c GlobalAlloc lstrcpynW 4172->4173 4235 100012ba 4172->4235 4173->4172 4175->4167 4239 100025d9 4175->4239 4178 100028b6 4176->4178 4177 1000295b _open 4179 10002979 4177->4179 4178->4177 4180 10002a75 4179->4180 4181 10002a6a GetLastError 4179->4181 4180->4064 4181->4180 4183 10002296 4182->4183 4184 100017a7 4182->4184 4183->4184 4185 100022a8 GlobalAlloc 4183->4185 4184->4044 4185->4183 4190 10002661 4186->4190 4187 100026b2 GlobalAlloc 4191 100026d4 4187->4191 4188 100026c5 4189 100026ca GlobalSize 4188->4189 4188->4191 4189->4191 4190->4187 4190->4188 4191->4070 4193 10002b6a 4192->4193 4194 10002baa GlobalFree 4193->4194 4242 1000121b GlobalAlloc 4195->4242 4197 10002530 StringFromGUID2 4202 100024b3 4197->4202 4198 10002541 lstrcpynW 4198->4202 4199 1000250b MultiByteToWideChar 4199->4202 4200 10002554 wsprintfW 4200->4202 4201 10002571 GlobalFree 4201->4202 4202->4197 4202->4198 4202->4199 4202->4200 4202->4201 4203 100025ac GlobalFree 4202->4203 4204 10001272 2 API calls 4202->4204 4243 100012e1 4202->4243 4203->4059 4204->4202 4247 1000121b GlobalAlloc 4206->4247 4208 100015ba 4210 100015e1 4208->4210 4211 100015c7 lstrcpyW 4208->4211 4212 100015fb 4210->4212 4213 100015e6 wsprintfW 4210->4213 4211->4212 4214 10001272 4212->4214 4213->4212 4215 100012b5 GlobalFree 4214->4215 4216 1000127b GlobalAlloc lstrcpynW 4214->4216 4215->4065 4216->4215 4218 1000247a 4217->4218 4220 10001861 4217->4220 4219 10002496 GlobalFree 4218->4219 4218->4220 4219->4218 4220->4077 4220->4078 4222 10001272 2 API calls 4221->4222 4223 1000155e 4222->4223 4223->4071 4224->4135 4225->4161 4227 100015ad 4226->4227 4227->4158 4234 1000121b GlobalAlloc 4228->4234 4230 1000123b lstrcpynW 4230->4157 4231->4161 4232->4152 4233->4160 4234->4230 4236 100012c1 4235->4236 4237 1000122c 2 API calls 4236->4237 4238 100012df 4237->4238 4238->4172 4240 100025e7 VirtualAlloc 4239->4240 4241 1000263d 4239->4241 4240->4241 4241->4175 4242->4202 4244 100012ea 4243->4244 4245 1000130c 4243->4245 4244->4245 4246 100012f0 lstrcpyW 4244->4246 4245->4202 4246->4245 4247->4208 5152 4016c4 5153 402bbf 18 API calls 5152->5153 5154 4016ca GetFullPathNameW 5153->5154 5155 4016e4 5154->5155 5161 401706 5154->5161 5157 406362 2 API calls 5155->5157 5155->5161 5156 40171b GetShortPathNameW 5158 402a4c 5156->5158 5159 4016f6 5157->5159 5159->5161 5162 40601f lstrcpynW 5159->5162 5161->5156 5161->5158 5162->5161 5173 40194e 5174 402bbf 18 API calls 5173->5174 5175 401955 lstrlenW 5174->5175 5176 402531 5175->5176 5177 4027ce 5178 4027d6 5177->5178 5179 4027da FindNextFileW 5178->5179 5182 4027ec 5178->5182 5180 402833 5179->5180 5179->5182 5183 40601f lstrcpynW 5180->5183 5183->5182 4900 401754 4901 402bbf 18 API calls 4900->4901 4902 40175b 4901->4902 4903 405c23 2 API calls 4902->4903 4904 401762 4903->4904 4905 405c23 2 API calls 4904->4905 4905->4904 5184 4048d4 5185 404900 5184->5185 5186 4048e4 5184->5186 5188 404933 5185->5188 5189 404906 SHGetPathFromIDListW 5185->5189 5195 405748 GetDlgItemTextW 5186->5195 5191 40491d SendMessageW 5189->5191 5192 404916 5189->5192 5190 4048f1 SendMessageW 5190->5185 5191->5188 5193 40140b 2 API calls 5192->5193 5193->5191 5195->5190 5196 401d56 GetDC GetDeviceCaps 5197 402ba2 18 API calls 5196->5197 5198 401d74 MulDiv ReleaseDC 5197->5198 5199 402ba2 18 API calls 5198->5199 5200 401d93 5199->5200 5201 406041 18 API calls 5200->5201 5202 401dcc CreateFontIndirectW 5201->5202 5203 402531 5202->5203 4929 4014d7 4930 402ba2 18 API calls 4929->4930 4931 4014dd Sleep 4930->4931 4933 402a4c 4931->4933 5211 401a57 5212 402ba2 18 API calls 5211->5212 5213 401a5d 5212->5213 5214 402ba2 18 API calls 5213->5214 5215 401a05 5214->5215 5216 40155b 5217 4029f2 5216->5217 5220 405f66 wsprintfW 5217->5220 5219 4029f7 5220->5219 4991 401ddc 4992 402ba2 18 API calls 4991->4992 4993 401de2 4992->4993 4994 402ba2 18 API calls 4993->4994 4995 401deb 4994->4995 4996 401df2 ShowWindow 4995->4996 4997 401dfd EnableWindow 4995->4997 4998 402a4c 4996->4998 4997->4998 5086 4022df 5087 402bbf 18 API calls 5086->5087 5088 4022ee 5087->5088 5089 402bbf 18 API calls 5088->5089 5090 4022f7 5089->5090 5091 402bbf 18 API calls 5090->5091 5092 402301 GetPrivateProfileStringW 5091->5092 5221 401bdf 5222 402ba2 18 API calls 5221->5222 5223 401be6 5222->5223 5224 402ba2 18 API calls 5223->5224 5225 401bf0 5224->5225 5226 401c00 5225->5226 5227 402bbf 18 API calls 5225->5227 5228 401c10 5226->5228 5231 402bbf 18 API calls 5226->5231 5227->5226 5229 401c1b 5228->5229 5230 401c5f 5228->5230 5232 402ba2 18 API calls 5229->5232 5233 402bbf 18 API calls 5230->5233 5231->5228 5234 401c20 5232->5234 5235 401c64 5233->5235 5236 402ba2 18 API calls 5234->5236 5237 402bbf 18 API calls 5235->5237 5238 401c29 5236->5238 5239 401c6d FindWindowExW 5237->5239 5240 401c31 SendMessageTimeoutW 5238->5240 5241 401c4f SendMessageW 5238->5241 5242 401c8f 5239->5242 5240->5242 5241->5242 5243 401960 5244 402ba2 18 API calls 5243->5244 5245 401967 5244->5245 5246 402ba2 18 API calls 5245->5246 5247 401971 5246->5247 5248 402bbf 18 API calls 5247->5248 5249 40197a 5248->5249 5250 40198e lstrlenW 5249->5250 5251 4019ca 5249->5251 5252 401998 5250->5252 5252->5251 5256 40601f lstrcpynW 5252->5256 5254 4019b3 5254->5251 5255 4019c0 lstrlenW 5254->5255 5255->5251 5256->5254 5257 401662 5258 402bbf 18 API calls 5257->5258 5259 401668 5258->5259 5260 406362 2 API calls 5259->5260 5261 40166e 5260->5261 5262 4066e3 5264 406567 5262->5264 5263 406ed2 5264->5263 5265 4065f1 GlobalAlloc 5264->5265 5266 4065e8 GlobalFree 5264->5266 5267 406668 GlobalAlloc 5264->5267 5268 40665f GlobalFree 5264->5268 5265->5263 5265->5264 5266->5265 5267->5263 5267->5264 5268->5267 5269 4019e4 5270 402bbf 18 API calls 5269->5270 5271 4019eb 5270->5271 5272 402bbf 18 API calls 5271->5272 5273 4019f4 5272->5273 5274 4019fb lstrcmpiW 5273->5274 5275 401a0d lstrcmpW 5273->5275 5276 401a01 5274->5276 5275->5276 4248 4025e5 4262 402ba2 4248->4262 4250 4025f4 4251 40263a ReadFile 4250->4251 4253 4026d3 4250->4253 4254 40267a MultiByteToWideChar 4250->4254 4255 40272f 4250->4255 4258 4026a0 SetFilePointer MultiByteToWideChar 4250->4258 4259 402740 4250->4259 4261 40272d 4250->4261 4274 405c77 ReadFile 4250->4274 4251->4250 4251->4261 4253->4250 4253->4261 4265 405cd5 SetFilePointer 4253->4265 4254->4250 4276 405f66 wsprintfW 4255->4276 4258->4250 4260 402761 SetFilePointer 4259->4260 4259->4261 4260->4261 4263 406041 18 API calls 4262->4263 4264 402bb6 4263->4264 4264->4250 4266 405cf1 4265->4266 4267 405d0d 4265->4267 4268 405c77 ReadFile 4266->4268 4267->4253 4269 405cfd 4268->4269 4269->4267 4270 405d16 SetFilePointer 4269->4270 4271 405d3e SetFilePointer 4269->4271 4270->4271 4272 405d21 4270->4272 4271->4267 4277 405ca6 WriteFile 4272->4277 4275 405c95 4274->4275 4275->4250 4276->4261 4278 405cc4 4277->4278 4278->4267 4279 401e66 4280 402bbf 18 API calls 4279->4280 4281 401e6c 4280->4281 4282 40517e 25 API calls 4281->4282 4283 401e76 4282->4283 4297 4056ff CreateProcessW 4283->4297 4286 401edb CloseHandle 4289 40281e 4286->4289 4287 401e8c WaitForSingleObject 4288 401e9e 4287->4288 4290 401eb0 GetExitCodeProcess 4288->4290 4300 406431 4288->4300 4292 401ec2 4290->4292 4293 401ecf 4290->4293 4304 405f66 wsprintfW 4292->4304 4293->4286 4294 401ecd 4293->4294 4294->4286 4298 405732 CloseHandle 4297->4298 4299 401e7c 4297->4299 4298->4299 4299->4286 4299->4287 4299->4289 4301 40644e PeekMessageW 4300->4301 4302 406444 DispatchMessageW 4301->4302 4303 401ea5 WaitForSingleObject 4301->4303 4302->4301 4303->4288 4304->4294 4314 401767 4315 402bbf 18 API calls 4314->4315 4316 40176e 4315->4316 4317 401796 4316->4317 4318 40178e 4316->4318 4376 40601f lstrcpynW 4317->4376 4375 40601f lstrcpynW 4318->4375 4321 401794 4325 4062b3 5 API calls 4321->4325 4322 4017a1 4377 4059d3 lstrlenW CharPrevW 4322->4377 4351 4017b3 4325->4351 4327 4017ef 4383 405bcf GetFileAttributesW 4327->4383 4330 4017c5 CompareFileTime 4330->4351 4331 401885 4333 40517e 25 API calls 4331->4333 4332 40185c 4334 40517e 25 API calls 4332->4334 4342 401871 4332->4342 4336 40188f 4333->4336 4334->4342 4335 40601f lstrcpynW 4335->4351 4354 403027 4336->4354 4339 4018b6 SetFileTime 4341 4018c8 FindCloseChangeNotification 4339->4341 4340 406041 18 API calls 4340->4351 4341->4342 4343 4018d9 4341->4343 4344 4018f1 4343->4344 4345 4018de 4343->4345 4346 406041 18 API calls 4344->4346 4347 406041 18 API calls 4345->4347 4348 4018f9 4346->4348 4350 4018e6 lstrcatW 4347->4350 4352 405764 MessageBoxIndirectW 4348->4352 4350->4348 4351->4327 4351->4330 4351->4331 4351->4332 4351->4335 4351->4340 4353 405bf4 GetFileAttributesW CreateFileW 4351->4353 4380 406362 FindFirstFileW 4351->4380 4386 405764 4351->4386 4352->4342 4353->4351 4356 403040 4354->4356 4355 40306b 4390 40320c 4355->4390 4356->4355 4400 403222 SetFilePointer 4356->4400 4360 403088 GetTickCount 4371 40309b 4360->4371 4361 4031ac 4362 4031b0 4361->4362 4367 4031c8 4361->4367 4364 40320c ReadFile 4362->4364 4363 4018a2 4363->4339 4363->4341 4364->4363 4365 40320c ReadFile 4365->4367 4366 40320c ReadFile 4366->4371 4367->4363 4367->4365 4368 405ca6 WriteFile 4367->4368 4368->4367 4370 403101 GetTickCount 4370->4371 4371->4363 4371->4366 4371->4370 4372 40312a MulDiv wsprintfW 4371->4372 4374 405ca6 WriteFile 4371->4374 4393 406534 4371->4393 4373 40517e 25 API calls 4372->4373 4373->4371 4374->4371 4375->4321 4376->4322 4378 4017a7 lstrcatW 4377->4378 4379 4059ef lstrcatW 4377->4379 4378->4321 4379->4378 4381 406378 FindClose 4380->4381 4382 406383 4380->4382 4381->4382 4382->4351 4384 405be1 SetFileAttributesW 4383->4384 4385 405bee 4383->4385 4384->4385 4385->4351 4387 405779 4386->4387 4388 4057c5 4387->4388 4389 40578d MessageBoxIndirectW 4387->4389 4388->4351 4389->4388 4391 405c77 ReadFile 4390->4391 4392 403076 4391->4392 4392->4360 4392->4361 4392->4363 4394 406559 4393->4394 4395 406561 4393->4395 4394->4371 4395->4394 4396 4065f1 GlobalAlloc 4395->4396 4397 4065e8 GlobalFree 4395->4397 4398 406668 GlobalAlloc 4395->4398 4399 40665f GlobalFree 4395->4399 4396->4394 4396->4395 4397->4396 4398->4394 4398->4395 4399->4398 4400->4355 5277 401ee9 5278 402bbf 18 API calls 5277->5278 5279 401ef0 5278->5279 5280 406362 2 API calls 5279->5280 5281 401ef6 5280->5281 5283 401f07 5281->5283 5284 405f66 wsprintfW 5281->5284 5284->5283 5285 100018a9 5287 100018cc 5285->5287 5286 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5289 10001272 2 API calls 5286->5289 5287->5286 5288 100018ff GlobalFree 5287->5288 5288->5286 5290 10001a87 GlobalFree GlobalFree 5289->5290 4404 40326a SetErrorMode GetVersion 4405 40329e 4404->4405 4406 4032a4 4404->4406 4407 4063f5 5 API calls 4405->4407 4495 406389 GetSystemDirectoryW 4406->4495 4407->4406 4409 4032bb 4410 406389 3 API calls 4409->4410 4411 4032c5 4410->4411 4412 406389 3 API calls 4411->4412 4413 4032cf 4412->4413 4498 4063f5 GetModuleHandleA 4413->4498 4416 4063f5 5 API calls 4417 4032dd #17 OleInitialize SHGetFileInfoW 4416->4417 4504 40601f lstrcpynW 4417->4504 4419 40331a GetCommandLineW 4505 40601f lstrcpynW 4419->4505 4421 40332c GetModuleHandleW 4422 403344 4421->4422 4423 405a00 CharNextW 4422->4423 4424 403353 CharNextW 4423->4424 4425 40347e GetTempPathW 4424->4425 4435 40336c 4424->4435 4506 403239 4425->4506 4427 403496 4428 4034f0 DeleteFileW 4427->4428 4429 40349a GetWindowsDirectoryW lstrcatW 4427->4429 4516 402dee GetTickCount GetModuleFileNameW 4428->4516 4430 403239 12 API calls 4429->4430 4433 4034b6 4430->4433 4431 405a00 CharNextW 4431->4435 4433->4428 4436 4034ba GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4433->4436 4434 403504 4442 405a00 CharNextW 4434->4442 4479 4035a7 4434->4479 4490 4035b7 4434->4490 4435->4431 4438 403469 4435->4438 4440 403467 4435->4440 4439 403239 12 API calls 4436->4439 4600 40601f lstrcpynW 4438->4600 4445 4034e8 4439->4445 4440->4425 4457 403523 4442->4457 4445->4428 4445->4490 4446 4036f2 4449 403776 ExitProcess 4446->4449 4450 4036fa GetCurrentProcess OpenProcessToken 4446->4450 4447 4035d2 4448 405764 MessageBoxIndirectW 4447->4448 4454 4035e0 ExitProcess 4448->4454 4455 403712 LookupPrivilegeValueW AdjustTokenPrivileges 4450->4455 4456 403746 4450->4456 4452 403581 4601 405adb 4452->4601 4453 4035e8 4624 4056e7 4453->4624 4455->4456 4460 4063f5 5 API calls 4456->4460 4457->4452 4457->4453 4469 40374d 4460->4469 4462 403762 ExitWindowsEx 4462->4449 4466 40376f 4462->4466 4464 403609 lstrcatW lstrcmpiW 4468 403625 4464->4468 4464->4490 4465 4035fe lstrcatW 4465->4464 4641 40140b 4466->4641 4472 403631 4468->4472 4473 40362a 4468->4473 4469->4462 4469->4466 4471 40359c 4616 40601f lstrcpynW 4471->4616 4632 4056ca CreateDirectoryW 4472->4632 4627 40564d CreateDirectoryW 4473->4627 4478 403636 SetCurrentDirectoryW 4480 403651 4478->4480 4481 403646 4478->4481 4544 403868 4479->4544 4636 40601f lstrcpynW 4480->4636 4635 40601f lstrcpynW 4481->4635 4484 406041 18 API calls 4485 403690 DeleteFileW 4484->4485 4486 40369d CopyFileW 4485->4486 4492 40365f 4485->4492 4486->4492 4487 4036e6 4488 405ec0 38 API calls 4487->4488 4488->4490 4617 40378e 4490->4617 4491 406041 18 API calls 4491->4492 4492->4484 4492->4487 4492->4491 4493 4056ff 2 API calls 4492->4493 4494 4036d1 CloseHandle 4492->4494 4637 405ec0 MoveFileExW 4492->4637 4493->4492 4494->4492 4496 4063ab wsprintfW LoadLibraryW 4495->4496 4496->4409 4499 406411 4498->4499 4500 40641b GetProcAddress 4498->4500 4501 406389 3 API calls 4499->4501 4502 4032d6 4500->4502 4503 406417 4501->4503 4502->4416 4503->4500 4503->4502 4504->4419 4505->4421 4507 4062b3 5 API calls 4506->4507 4508 403245 4507->4508 4509 40324f 4508->4509 4510 4059d3 3 API calls 4508->4510 4509->4427 4511 403257 4510->4511 4512 4056ca 2 API calls 4511->4512 4513 40325d 4512->4513 4644 405c23 4513->4644 4648 405bf4 GetFileAttributesW CreateFileW 4516->4648 4518 402e2e 4535 402e3e 4518->4535 4649 40601f lstrcpynW 4518->4649 4520 402e54 4650 405a1f lstrlenW 4520->4650 4524 402e65 GetFileSize 4540 402f61 4524->4540 4543 402e7c 4524->4543 4526 402f6a 4528 402f9a GlobalAlloc 4526->4528 4526->4535 4667 403222 SetFilePointer 4526->4667 4527 40320c ReadFile 4527->4543 4666 403222 SetFilePointer 4528->4666 4530 402fcd 4532 402d8a 6 API calls 4530->4532 4532->4535 4533 402f83 4536 40320c ReadFile 4533->4536 4534 402fb5 4537 403027 36 API calls 4534->4537 4535->4434 4538 402f8e 4536->4538 4541 402fc1 4537->4541 4538->4528 4538->4535 4539 402d8a 6 API calls 4539->4543 4655 402d8a 4540->4655 4541->4535 4541->4541 4542 402ffe SetFilePointer 4541->4542 4542->4535 4543->4527 4543->4530 4543->4535 4543->4539 4543->4540 4545 4063f5 5 API calls 4544->4545 4546 40387c 4545->4546 4547 403882 4546->4547 4548 403894 4546->4548 4684 405f66 wsprintfW 4547->4684 4549 405eec 3 API calls 4548->4549 4550 4038c4 4549->4550 4551 4038e3 lstrcatW 4550->4551 4553 405eec 3 API calls 4550->4553 4554 403892 4551->4554 4553->4551 4668 403b3e 4554->4668 4557 405adb 18 API calls 4558 403915 4557->4558 4559 4039a9 4558->4559 4561 405eec 3 API calls 4558->4561 4560 405adb 18 API calls 4559->4560 4562 4039af 4560->4562 4563 403947 4561->4563 4564 4039bf LoadImageW 4562->4564 4567 406041 18 API calls 4562->4567 4563->4559 4570 403968 lstrlenW 4563->4570 4574 405a00 CharNextW 4563->4574 4565 403a65 4564->4565 4566 4039e6 RegisterClassW 4564->4566 4569 40140b 2 API calls 4565->4569 4568 403a1c SystemParametersInfoW CreateWindowExW 4566->4568 4599 403a6f 4566->4599 4567->4564 4568->4565 4573 403a6b 4569->4573 4571 403976 lstrcmpiW 4570->4571 4572 40399c 4570->4572 4571->4572 4575 403986 GetFileAttributesW 4571->4575 4576 4059d3 3 API calls 4572->4576 4579 403b3e 19 API calls 4573->4579 4573->4599 4577 403965 4574->4577 4578 403992 4575->4578 4580 4039a2 4576->4580 4577->4570 4578->4572 4581 405a1f 2 API calls 4578->4581 4582 403a7c 4579->4582 4685 40601f lstrcpynW 4580->4685 4581->4572 4584 403a88 ShowWindow 4582->4584 4585 403b0b 4582->4585 4587 406389 3 API calls 4584->4587 4677 405251 OleInitialize 4585->4677 4589 403aa0 4587->4589 4588 403b11 4590 403b15 4588->4590 4591 403b2d 4588->4591 4592 403aae GetClassInfoW 4589->4592 4594 406389 3 API calls 4589->4594 4598 40140b 2 API calls 4590->4598 4590->4599 4593 40140b 2 API calls 4591->4593 4595 403ac2 GetClassInfoW RegisterClassW 4592->4595 4596 403ad8 DialogBoxParamW 4592->4596 4593->4599 4594->4592 4595->4596 4597 40140b 2 API calls 4596->4597 4597->4599 4598->4599 4599->4490 4600->4440 4694 40601f lstrcpynW 4601->4694 4603 405aec 4695 405a7e CharNextW CharNextW 4603->4695 4606 40358d 4606->4490 4615 40601f lstrcpynW 4606->4615 4607 4062b3 5 API calls 4613 405b02 4607->4613 4608 405b33 lstrlenW 4609 405b3e 4608->4609 4608->4613 4611 4059d3 3 API calls 4609->4611 4610 406362 2 API calls 4610->4613 4612 405b43 GetFileAttributesW 4611->4612 4612->4606 4613->4606 4613->4608 4613->4610 4614 405a1f 2 API calls 4613->4614 4614->4608 4615->4471 4616->4479 4618 4037a6 4617->4618 4619 403798 CloseHandle 4617->4619 4701 4037d3 4618->4701 4619->4618 4625 4063f5 5 API calls 4624->4625 4626 4035ed lstrcatW 4625->4626 4626->4464 4626->4465 4628 40362f 4627->4628 4629 40569e GetLastError 4627->4629 4628->4478 4629->4628 4630 4056ad SetFileSecurityW 4629->4630 4630->4628 4631 4056c3 GetLastError 4630->4631 4631->4628 4633 4056da 4632->4633 4634 4056de GetLastError 4632->4634 4633->4478 4634->4633 4635->4480 4636->4492 4638 405ee1 4637->4638 4639 405ed4 4637->4639 4638->4492 4754 405d4e lstrcpyW 4639->4754 4642 401389 2 API calls 4641->4642 4643 401420 4642->4643 4643->4449 4645 405c30 GetTickCount GetTempFileNameW 4644->4645 4646 403268 4645->4646 4647 405c66 4645->4647 4646->4427 4647->4645 4647->4646 4648->4518 4649->4520 4651 405a2d 4650->4651 4652 405a33 CharPrevW 4651->4652 4653 402e5a 4651->4653 4652->4651 4652->4653 4654 40601f lstrcpynW 4653->4654 4654->4524 4656 402d93 4655->4656 4657 402dab 4655->4657 4658 402da3 4656->4658 4659 402d9c DestroyWindow 4656->4659 4660 402db3 4657->4660 4661 402dbb GetTickCount 4657->4661 4658->4526 4659->4658 4664 406431 2 API calls 4660->4664 4662 402dc9 CreateDialogParamW ShowWindow 4661->4662 4663 402dec 4661->4663 4662->4663 4663->4526 4665 402db9 4664->4665 4665->4526 4666->4534 4667->4533 4669 403b52 4668->4669 4686 405f66 wsprintfW 4669->4686 4671 403bc3 4672 406041 18 API calls 4671->4672 4673 403bcf SetWindowTextW 4672->4673 4674 4038f3 4673->4674 4675 403beb 4673->4675 4674->4557 4675->4674 4676 406041 18 API calls 4675->4676 4676->4675 4687 40412f 4677->4687 4679 405274 4682 40529b 4679->4682 4690 401389 4679->4690 4680 40412f SendMessageW 4681 4052ad OleUninitialize 4680->4681 4681->4588 4682->4680 4684->4554 4685->4559 4686->4671 4688 404147 4687->4688 4689 404138 SendMessageW 4687->4689 4688->4679 4689->4688 4692 401390 4690->4692 4691 4013fe 4691->4679 4692->4691 4693 4013cb MulDiv SendMessageW 4692->4693 4693->4692 4694->4603 4696 405a9b 4695->4696 4700 405aad 4695->4700 4698 405aa8 CharNextW 4696->4698 4696->4700 4697 405ad1 4697->4606 4697->4607 4698->4697 4699 405a00 CharNextW 4699->4700 4700->4697 4700->4699 4702 4037e1 4701->4702 4703 4037ab 4702->4703 4704 4037e6 FreeLibrary GlobalFree 4702->4704 4705 405810 4703->4705 4704->4703 4704->4704 4706 405adb 18 API calls 4705->4706 4707 405830 4706->4707 4708 405838 DeleteFileW 4707->4708 4709 40584f 4707->4709 4710 4035c0 OleUninitialize 4708->4710 4712 40597a 4709->4712 4744 40601f lstrcpynW 4709->4744 4710->4446 4710->4447 4712->4710 4718 406362 2 API calls 4712->4718 4713 405875 4714 405888 4713->4714 4715 40587b lstrcatW 4713->4715 4717 405a1f 2 API calls 4714->4717 4716 40588e 4715->4716 4719 40589e lstrcatW 4716->4719 4721 4058a9 lstrlenW FindFirstFileW 4716->4721 4717->4716 4720 405994 4718->4720 4719->4721 4720->4710 4722 405998 4720->4722 4723 40596f 4721->4723 4742 4058cb 4721->4742 4724 4059d3 3 API calls 4722->4724 4723->4712 4725 40599e 4724->4725 4727 4057c8 5 API calls 4725->4727 4726 405952 FindNextFileW 4729 405968 FindClose 4726->4729 4726->4742 4730 4059aa 4727->4730 4729->4723 4731 4059c4 4730->4731 4732 4059ae 4730->4732 4734 40517e 25 API calls 4731->4734 4732->4710 4735 40517e 25 API calls 4732->4735 4734->4710 4737 4059bb 4735->4737 4736 405810 62 API calls 4736->4742 4738 405ec0 38 API calls 4737->4738 4740 4059c2 4738->4740 4739 40517e 25 API calls 4739->4726 4740->4710 4741 40517e 25 API calls 4741->4742 4742->4726 4742->4736 4742->4739 4742->4741 4743 405ec0 38 API calls 4742->4743 4745 40601f lstrcpynW 4742->4745 4746 4057c8 4742->4746 4743->4742 4744->4713 4745->4742 4747 405bcf 2 API calls 4746->4747 4748 4057d4 4747->4748 4749 4057e3 RemoveDirectoryW 4748->4749 4750 4057eb DeleteFileW 4748->4750 4751 4057f5 4748->4751 4752 4057f1 4749->4752 4750->4752 4751->4742 4752->4751 4753 405801 SetFileAttributesW 4752->4753 4753->4751 4755 405d76 4754->4755 4756 405d9c GetShortPathNameW 4754->4756 4781 405bf4 GetFileAttributesW CreateFileW 4755->4781 4758 405db1 4756->4758 4759 405ebb 4756->4759 4758->4759 4761 405db9 wsprintfA 4758->4761 4759->4638 4760 405d80 CloseHandle GetShortPathNameW 4760->4759 4762 405d94 4760->4762 4763 406041 18 API calls 4761->4763 4762->4756 4762->4759 4764 405de1 4763->4764 4782 405bf4 GetFileAttributesW CreateFileW 4764->4782 4766 405dee 4766->4759 4767 405dfd GetFileSize GlobalAlloc 4766->4767 4768 405eb4 CloseHandle 4767->4768 4769 405e1f 4767->4769 4768->4759 4770 405c77 ReadFile 4769->4770 4771 405e27 4770->4771 4771->4768 4783 405b59 lstrlenA 4771->4783 4774 405e52 4776 405b59 4 API calls 4774->4776 4775 405e3e lstrcpyA 4777 405e60 4775->4777 4776->4777 4778 405e97 SetFilePointer 4777->4778 4779 405ca6 WriteFile 4778->4779 4780 405ead GlobalFree 4779->4780 4780->4768 4781->4760 4782->4766 4784 405b9a lstrlenA 4783->4784 4785 405ba2 4784->4785 4786 405b73 lstrcmpiA 4784->4786 4785->4774 4785->4775 4786->4785 4787 405b91 CharNextA 4786->4787 4787->4784 4788 4021ea 4789 402bbf 18 API calls 4788->4789 4790 4021f0 4789->4790 4791 402bbf 18 API calls 4790->4791 4792 4021f9 4791->4792 4793 402bbf 18 API calls 4792->4793 4794 402202 4793->4794 4795 406362 2 API calls 4794->4795 4796 40220b 4795->4796 4797 40221c lstrlenW lstrlenW 4796->4797 4802 40220f 4796->4802 4798 40517e 25 API calls 4797->4798 4801 40225a SHFileOperationW 4798->4801 4799 40517e 25 API calls 4800 402217 4799->4800 4801->4800 4801->4802 4802->4799 4802->4800 5291 40156b 5292 401584 5291->5292 5293 40157b ShowWindow 5291->5293 5294 401592 ShowWindow 5292->5294 5295 402a4c 5292->5295 5293->5292 5294->5295 5303 40226e 5304 402288 5303->5304 5305 402275 5303->5305 5306 406041 18 API calls 5305->5306 5307 402282 5306->5307 5308 405764 MessageBoxIndirectW 5307->5308 5308->5304 5309 4014f1 SetForegroundWindow 5310 402a4c 5309->5310 5311 4050f2 5312 405102 5311->5312 5313 405116 5311->5313 5314 40515f 5312->5314 5315 405108 5312->5315 5316 40511e IsWindowVisible 5313->5316 5322 405135 5313->5322 5317 405164 CallWindowProcW 5314->5317 5318 40412f SendMessageW 5315->5318 5316->5314 5319 40512b 5316->5319 5321 405112 5317->5321 5318->5321 5324 404a48 SendMessageW 5319->5324 5322->5317 5329 404ac8 5322->5329 5325 404aa7 SendMessageW 5324->5325 5326 404a6b GetMessagePos ScreenToClient SendMessageW 5324->5326 5328 404a9f 5325->5328 5327 404aa4 5326->5327 5326->5328 5327->5325 5328->5322 5338 40601f lstrcpynW 5329->5338 5331 404adb 5339 405f66 wsprintfW 5331->5339 5333 404ae5 5334 40140b 2 API calls 5333->5334 5335 404aee 5334->5335 5340 40601f lstrcpynW 5335->5340 5337 404af5 5337->5314 5338->5331 5339->5333 5340->5337 5341 401673 5342 402bbf 18 API calls 5341->5342 5343 40167a 5342->5343 5344 402bbf 18 API calls 5343->5344 5345 401683 5344->5345 5346 402bbf 18 API calls 5345->5346 5347 40168c MoveFileW 5346->5347 5348 40169f 5347->5348 5354 401698 5347->5354 5349 406362 2 API calls 5348->5349 5352 4021e1 5348->5352 5351 4016ae 5349->5351 5350 401423 25 API calls 5350->5352 5351->5352 5353 405ec0 38 API calls 5351->5353 5353->5354 5354->5350 5355 100016b6 5356 100016e5 5355->5356 5357 10001b18 22 API calls 5356->5357 5358 100016ec 5357->5358 5359 100016f3 5358->5359 5360 100016ff 5358->5360 5361 10001272 2 API calls 5359->5361 5362 10001726 5360->5362 5363 10001709 5360->5363 5364 100016fd 5361->5364 5366 10001750 5362->5366 5367 1000172c 5362->5367 5365 1000153d 3 API calls 5363->5365 5369 1000170e 5365->5369 5368 1000153d 3 API calls 5366->5368 5370 100015b4 3 API calls 5367->5370 5368->5364 5371 100015b4 3 API calls 5369->5371 5372 10001731 5370->5372 5373 10001714 5371->5373 5374 10001272 2 API calls 5372->5374 5376 10001272 2 API calls 5373->5376 5375 10001737 GlobalFree 5374->5375 5375->5364 5377 1000174b GlobalFree 5375->5377 5378 1000171a GlobalFree 5376->5378 5377->5364 5378->5364 5379 4041f7 lstrcpynW lstrlenW 5380 10002238 5381 10002296 5380->5381 5382 100022cc 5380->5382 5381->5382 5383 100022a8 GlobalAlloc 5381->5383 5383->5381 5384 404afa GetDlgItem GetDlgItem 5385 404b4c 7 API calls 5384->5385 5393 404d65 5384->5393 5386 404be2 SendMessageW 5385->5386 5387 404bef DeleteObject 5385->5387 5386->5387 5388 404bf8 5387->5388 5389 404c2f 5388->5389 5392 406041 18 API calls 5388->5392 5390 4040e3 19 API calls 5389->5390 5394 404c43 5390->5394 5391 404ef5 5396 404f07 5391->5396 5397 404eff SendMessageW 5391->5397 5398 404c11 SendMessageW SendMessageW 5392->5398 5395 404e49 5393->5395 5399 404a48 5 API calls 5393->5399 5416 404dd6 5393->5416 5400 4040e3 19 API calls 5394->5400 5395->5391 5401 404ea2 SendMessageW 5395->5401 5424 404d58 5395->5424 5404 404f20 5396->5404 5405 404f19 ImageList_Destroy 5396->5405 5418 404f30 5396->5418 5397->5396 5398->5388 5399->5416 5417 404c51 5400->5417 5407 404eb7 SendMessageW 5401->5407 5401->5424 5402 40414a 8 API calls 5408 4050eb 5402->5408 5403 404e3b SendMessageW 5403->5395 5409 404f29 GlobalFree 5404->5409 5404->5418 5405->5404 5406 40509f 5413 4050b1 ShowWindow GetDlgItem ShowWindow 5406->5413 5406->5424 5411 404eca 5407->5411 5409->5418 5410 404d26 GetWindowLongW SetWindowLongW 5412 404d3f 5410->5412 5422 404edb SendMessageW 5411->5422 5414 404d45 ShowWindow 5412->5414 5415 404d5d 5412->5415 5413->5424 5435 404118 SendMessageW 5414->5435 5436 404118 SendMessageW 5415->5436 5416->5395 5416->5403 5417->5410 5421 404ca1 SendMessageW 5417->5421 5423 404d20 5417->5423 5425 404cdd SendMessageW 5417->5425 5426 404cee SendMessageW 5417->5426 5418->5406 5427 404ac8 4 API calls 5418->5427 5431 404f6b 5418->5431 5421->5417 5422->5391 5423->5410 5423->5412 5424->5402 5425->5417 5426->5417 5427->5431 5428 405075 InvalidateRect 5428->5406 5429 40508b 5428->5429 5437 404a03 5429->5437 5430 404f99 SendMessageW 5434 404faf 5430->5434 5431->5430 5431->5434 5433 405023 SendMessageW SendMessageW 5433->5434 5434->5428 5434->5433 5435->5424 5436->5393 5440 40493a 5437->5440 5439 404a18 5439->5406 5441 404953 5440->5441 5442 406041 18 API calls 5441->5442 5443 4049b7 5442->5443 5444 406041 18 API calls 5443->5444 5445 4049c2 5444->5445 5446 406041 18 API calls 5445->5446 5447 4049d8 lstrlenW wsprintfW SetDlgItemTextW 5446->5447 5447->5439 5448 401cfa GetDlgItem GetClientRect 5449 402bbf 18 API calls 5448->5449 5450 401d2c LoadImageW SendMessageW 5449->5450 5451 401d4a DeleteObject 5450->5451 5452 402a4c 5450->5452 5451->5452 4960 40237b 4961 402381 4960->4961 4962 402bbf 18 API calls 4961->4962 4963 402393 4962->4963 4964 402bbf 18 API calls 4963->4964 4965 40239d RegCreateKeyExW 4964->4965 4966 4023c7 4965->4966 4968 40281e 4965->4968 4967 4023e2 4966->4967 4969 402bbf 18 API calls 4966->4969 4970 4023ee 4967->4970 4972 402ba2 18 API calls 4967->4972 4971 4023d8 lstrlenW 4969->4971 4973 402409 RegSetValueExW 4970->4973 4974 403027 36 API calls 4970->4974 4971->4967 4972->4970 4975 40241f RegCloseKey 4973->4975 4974->4973 4975->4968 4977 4027fb 4978 402bbf 18 API calls 4977->4978 4979 402802 FindFirstFileW 4978->4979 4980 40282a 4979->4980 4983 402815 4979->4983 4981 402833 4980->4981 4985 405f66 wsprintfW 4980->4985 4986 40601f lstrcpynW 4981->4986 4985->4981 4986->4983 5453 1000103d 5454 1000101b 5 API calls 5453->5454 5455 10001056 5454->5455 5456 40457e 5457 4045aa 5456->5457 5458 4045bb 5456->5458 5517 405748 GetDlgItemTextW 5457->5517 5459 4045c7 GetDlgItem 5458->5459 5466 404626 5458->5466 5462 4045db 5459->5462 5461 4045b5 5464 4062b3 5 API calls 5461->5464 5465 4045ef SetWindowTextW 5462->5465 5469 405a7e 4 API calls 5462->5469 5463 40470a 5515 4048b9 5463->5515 5519 405748 GetDlgItemTextW 5463->5519 5464->5458 5470 4040e3 19 API calls 5465->5470 5466->5463 5471 406041 18 API calls 5466->5471 5466->5515 5468 40414a 8 API calls 5473 4048cd 5468->5473 5474 4045e5 5469->5474 5475 40460b 5470->5475 5476 40469a SHBrowseForFolderW 5471->5476 5472 40473a 5477 405adb 18 API calls 5472->5477 5474->5465 5481 4059d3 3 API calls 5474->5481 5478 4040e3 19 API calls 5475->5478 5476->5463 5479 4046b2 CoTaskMemFree 5476->5479 5480 404740 5477->5480 5482 404619 5478->5482 5483 4059d3 3 API calls 5479->5483 5520 40601f lstrcpynW 5480->5520 5481->5465 5518 404118 SendMessageW 5482->5518 5485 4046bf 5483->5485 5488 4046f6 SetDlgItemTextW 5485->5488 5492 406041 18 API calls 5485->5492 5487 40461f 5490 4063f5 5 API calls 5487->5490 5488->5463 5489 404757 5491 4063f5 5 API calls 5489->5491 5490->5466 5499 40475e 5491->5499 5493 4046de lstrcmpiW 5492->5493 5493->5488 5495 4046ef lstrcatW 5493->5495 5494 40479f 5521 40601f lstrcpynW 5494->5521 5495->5488 5497 4047a6 5498 405a7e 4 API calls 5497->5498 5500 4047ac GetDiskFreeSpaceW 5498->5500 5499->5494 5503 405a1f 2 API calls 5499->5503 5504 4047f7 5499->5504 5502 4047d0 MulDiv 5500->5502 5500->5504 5502->5504 5503->5499 5505 404a03 21 API calls 5504->5505 5506 404868 5504->5506 5508 404855 5505->5508 5507 40488b 5506->5507 5509 40140b 2 API calls 5506->5509 5522 404105 KiUserCallbackDispatcher 5507->5522 5510 40486a SetDlgItemTextW 5508->5510 5511 40485a 5508->5511 5509->5507 5510->5506 5513 40493a 21 API calls 5511->5513 5513->5506 5514 4048a7 5514->5515 5523 404513 5514->5523 5515->5468 5517->5461 5518->5487 5519->5472 5520->5489 5521->5497 5522->5514 5524 404521 5523->5524 5525 404526 SendMessageW 5523->5525 5524->5525 5525->5515 5526 4014ff 5527 401507 5526->5527 5528 40151a 5526->5528 5529 402ba2 18 API calls 5527->5529 5529->5528 5530 401000 5531 401037 BeginPaint GetClientRect 5530->5531 5532 40100c DefWindowProcW 5530->5532 5534 4010f3 5531->5534 5535 401179 5532->5535 5536 401073 CreateBrushIndirect FillRect DeleteObject 5534->5536 5537 4010fc 5534->5537 5536->5534 5538 401102 CreateFontIndirectW 5537->5538 5539 401167 EndPaint 5537->5539 5538->5539 5540 401112 6 API calls 5538->5540 5539->5535 5540->5539 5541 404280 5542 404298 5541->5542 5546 4043b2 5541->5546 5547 4040e3 19 API calls 5542->5547 5543 40441c 5544 4044ee 5543->5544 5545 404426 GetDlgItem 5543->5545 5552 40414a 8 API calls 5544->5552 5548 404440 5545->5548 5549 4044af 5545->5549 5546->5543 5546->5544 5550 4043ed GetDlgItem SendMessageW 5546->5550 5551 4042ff 5547->5551 5548->5549 5557 404466 6 API calls 5548->5557 5549->5544 5553 4044c1 5549->5553 5572 404105 KiUserCallbackDispatcher 5550->5572 5555 4040e3 19 API calls 5551->5555 5556 4044e9 5552->5556 5558 4044d7 5553->5558 5559 4044c7 SendMessageW 5553->5559 5561 40430c CheckDlgButton 5555->5561 5557->5549 5558->5556 5562 4044dd SendMessageW 5558->5562 5559->5558 5560 404417 5563 404513 SendMessageW 5560->5563 5570 404105 KiUserCallbackDispatcher 5561->5570 5562->5556 5563->5543 5565 40432a GetDlgItem 5571 404118 SendMessageW 5565->5571 5567 404340 SendMessageW 5568 404366 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5567->5568 5569 40435d GetSysColor 5567->5569 5568->5556 5569->5568 5570->5565 5571->5567 5572->5560 5580 401904 5581 40193b 5580->5581 5582 402bbf 18 API calls 5581->5582 5583 401940 5582->5583 5584 405810 69 API calls 5583->5584 5585 401949 5584->5585 5586 402d04 5587 402d16 SetTimer 5586->5587 5588 402d2f 5586->5588 5587->5588 5589 402d84 5588->5589 5590 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5588->5590 5590->5589 4305 402786 4306 40278d 4305->4306 4308 4029f7 4305->4308 4307 402ba2 18 API calls 4306->4307 4309 402798 4307->4309 4310 40279f SetFilePointer 4309->4310 4310->4308 4311 4027af 4310->4311 4313 405f66 wsprintfW 4311->4313 4313->4308 4401 100027c7 4402 10002817 4401->4402 4403 100027d7 VirtualProtect 4401->4403 4403->4402 5591 401907 5592 402bbf 18 API calls 5591->5592 5593 40190e 5592->5593 5594 405764 MessageBoxIndirectW 5593->5594 5595 401917 5594->5595 5596 401e08 5597 402bbf 18 API calls 5596->5597 5598 401e0e 5597->5598 5599 402bbf 18 API calls 5598->5599 5600 401e17 5599->5600 5601 402bbf 18 API calls 5600->5601 5602 401e20 5601->5602 5603 402bbf 18 API calls 5602->5603 5604 401e29 5603->5604 5605 401423 25 API calls 5604->5605 5606 401e30 ShellExecuteW 5605->5606 5607 401e61 5606->5607 4803 403c0b 4804 403c23 4803->4804 4805 403d5e 4803->4805 4804->4805 4806 403c2f 4804->4806 4807 403daf 4805->4807 4808 403d6f GetDlgItem GetDlgItem 4805->4808 4809 403c3a SetWindowPos 4806->4809 4810 403c4d 4806->4810 4812 403e09 4807->4812 4820 401389 2 API calls 4807->4820 4811 4040e3 19 API calls 4808->4811 4809->4810 4813 403c52 ShowWindow 4810->4813 4814 403c6a 4810->4814 4815 403d99 SetClassLongW 4811->4815 4816 40412f SendMessageW 4812->4816 4833 403d59 4812->4833 4813->4814 4817 403c72 DestroyWindow 4814->4817 4818 403c8c 4814->4818 4819 40140b 2 API calls 4815->4819 4847 403e1b 4816->4847 4872 40406c 4817->4872 4821 403c91 SetWindowLongW 4818->4821 4822 403ca2 4818->4822 4819->4807 4823 403de1 4820->4823 4821->4833 4826 403d4b 4822->4826 4827 403cae GetDlgItem 4822->4827 4823->4812 4828 403de5 SendMessageW 4823->4828 4824 40140b 2 API calls 4824->4847 4825 40406e DestroyWindow EndDialog 4825->4872 4882 40414a 4826->4882 4830 403cc1 SendMessageW IsWindowEnabled 4827->4830 4831 403cde 4827->4831 4828->4833 4829 40409d ShowWindow 4829->4833 4830->4831 4830->4833 4835 403ce3 4831->4835 4836 403ceb 4831->4836 4837 403d32 SendMessageW 4831->4837 4838 403cfe 4831->4838 4834 406041 18 API calls 4834->4847 4879 4040bc 4835->4879 4836->4835 4836->4837 4837->4826 4840 403d06 4838->4840 4841 403d1b 4838->4841 4843 40140b 2 API calls 4840->4843 4844 40140b 2 API calls 4841->4844 4842 403d19 4842->4826 4843->4835 4846 403d22 4844->4846 4845 4040e3 19 API calls 4845->4847 4846->4826 4846->4835 4847->4824 4847->4825 4847->4833 4847->4834 4847->4845 4863 403fae DestroyWindow 4847->4863 4873 4040e3 4847->4873 4849 403e96 GetDlgItem 4850 403eb3 ShowWindow KiUserCallbackDispatcher 4849->4850 4851 403eab 4849->4851 4876 404105 KiUserCallbackDispatcher 4850->4876 4851->4850 4853 403edd EnableWindow 4856 403ef1 4853->4856 4854 403ef6 GetSystemMenu EnableMenuItem SendMessageW 4855 403f26 SendMessageW 4854->4855 4854->4856 4855->4856 4856->4854 4877 404118 SendMessageW 4856->4877 4878 40601f lstrcpynW 4856->4878 4859 403f54 lstrlenW 4860 406041 18 API calls 4859->4860 4861 403f6a SetWindowTextW 4860->4861 4862 401389 2 API calls 4861->4862 4862->4847 4864 403fc8 CreateDialogParamW 4863->4864 4863->4872 4865 403ffb 4864->4865 4864->4872 4866 4040e3 19 API calls 4865->4866 4867 404006 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4866->4867 4868 401389 2 API calls 4867->4868 4869 40404c 4868->4869 4869->4833 4870 404054 ShowWindow 4869->4870 4871 40412f SendMessageW 4870->4871 4871->4872 4872->4829 4872->4833 4874 406041 18 API calls 4873->4874 4875 4040ee SetDlgItemTextW 4874->4875 4875->4849 4876->4853 4877->4856 4878->4859 4880 4040c3 4879->4880 4881 4040c9 SendMessageW 4879->4881 4880->4881 4881->4842 4883 404162 GetWindowLongW 4882->4883 4893 4041eb 4882->4893 4884 404173 4883->4884 4883->4893 4885 404182 GetSysColor 4884->4885 4886 404185 4884->4886 4885->4886 4887 404195 SetBkMode 4886->4887 4888 40418b SetTextColor 4886->4888 4889 4041b3 4887->4889 4890 4041ad GetSysColor 4887->4890 4888->4887 4891 4041c4 4889->4891 4892 4041ba SetBkColor 4889->4892 4890->4889 4891->4893 4894 4041d7 DeleteObject 4891->4894 4895 4041de CreateBrushIndirect 4891->4895 4892->4891 4893->4833 4894->4895 4895->4893 5613 1000164f 5614 10001516 GlobalFree 5613->5614 5616 10001667 5614->5616 5615 100016ad GlobalFree 5616->5615 5617 10001682 5616->5617 5618 10001699 VirtualFree 5616->5618 5617->5615 5618->5615 5619 401491 5620 40517e 25 API calls 5619->5620 5621 401498 5620->5621 5622 401a15 5623 402bbf 18 API calls 5622->5623 5624 401a1e ExpandEnvironmentStringsW 5623->5624 5625 401a32 5624->5625 5627 401a45 5624->5627 5626 401a37 lstrcmpW 5625->5626 5625->5627 5626->5627 5628 402515 5629 402bbf 18 API calls 5628->5629 5630 40251c 5629->5630 5633 405bf4 GetFileAttributesW CreateFileW 5630->5633 5632 402528 5633->5632 5634 402095 5635 402bbf 18 API calls 5634->5635 5636 40209c 5635->5636 5637 402bbf 18 API calls 5636->5637 5638 4020a6 5637->5638 5639 402bbf 18 API calls 5638->5639 5640 4020b0 5639->5640 5641 402bbf 18 API calls 5640->5641 5642 4020ba 5641->5642 5643 402bbf 18 API calls 5642->5643 5644 4020c4 5643->5644 5645 402103 CoCreateInstance 5644->5645 5646 402bbf 18 API calls 5644->5646 5649 402122 5645->5649 5646->5645 5647 401423 25 API calls 5648 4021e1 5647->5648 5649->5647 5649->5648 5650 401b16 5651 402bbf 18 API calls 5650->5651 5652 401b1d 5651->5652 5653 402ba2 18 API calls 5652->5653 5654 401b26 wsprintfW 5653->5654 5655 402a4c 5654->5655 5656 10001058 5658 10001074 5656->5658 5657 100010dd 5658->5657 5659 10001516 GlobalFree 5658->5659 5660 10001092 5658->5660 5659->5660 5661 10001516 GlobalFree 5660->5661 5662 100010a2 5661->5662 5663 100010b2 5662->5663 5664 100010a9 GlobalSize 5662->5664 5665 100010b6 GlobalAlloc 5663->5665 5666 100010c7 5663->5666 5664->5663 5667 1000153d 3 API calls 5665->5667 5668 100010d2 GlobalFree 5666->5668 5667->5666 5668->5657 4987 40159b 4988 402bbf 18 API calls 4987->4988 4989 4015a2 SetFileAttributesW 4988->4989 4990 4015b4 4989->4990 4999 40229d 5000 4022a5 4999->5000 5002 4022ab 4999->5002 5001 402bbf 18 API calls 5000->5001 5001->5002 5003 402bbf 18 API calls 5002->5003 5004 4022b9 5002->5004 5003->5004 5005 402bbf 18 API calls 5004->5005 5007 4022c7 5004->5007 5005->5007 5006 402bbf 18 API calls 5008 4022d0 WritePrivateProfileStringW 5006->5008 5007->5006 5683 401f1d 5684 402bbf 18 API calls 5683->5684 5685 401f24 5684->5685 5686 4063f5 5 API calls 5685->5686 5687 401f33 5686->5687 5688 401fb7 5687->5688 5689 401f4f GlobalAlloc 5687->5689 5689->5688 5690 401f63 5689->5690 5691 4063f5 5 API calls 5690->5691 5692 401f6a 5691->5692 5693 4063f5 5 API calls 5692->5693 5694 401f74 5693->5694 5694->5688 5698 405f66 wsprintfW 5694->5698 5696 401fa9 5699 405f66 wsprintfW 5696->5699 5698->5696 5699->5688 5700 40149e 5701 402288 5700->5701 5702 4014ac PostQuitMessage 5700->5702 5702->5701 5703 40249e 5704 402cc9 19 API calls 5703->5704 5705 4024a8 5704->5705 5706 402ba2 18 API calls 5705->5706 5707 4024b1 5706->5707 5708 4024d5 RegEnumValueW 5707->5708 5709 4024c9 RegEnumKeyW 5707->5709 5711 40281e 5707->5711 5710 4024ee RegCloseKey 5708->5710 5708->5711 5709->5710 5710->5711 5059 40231f 5060 402324 5059->5060 5061 40234f 5059->5061 5082 402cc9 5060->5082 5062 402bbf 18 API calls 5061->5062 5065 402356 5062->5065 5064 40232b 5066 402335 5064->5066 5070 40236c 5064->5070 5071 402bff RegOpenKeyExW 5065->5071 5067 402bbf 18 API calls 5066->5067 5068 40233c RegDeleteValueW RegCloseKey 5067->5068 5068->5070 5072 402c93 5071->5072 5075 402c2a 5071->5075 5072->5070 5073 402c50 RegEnumKeyW 5074 402c62 RegCloseKey 5073->5074 5073->5075 5077 4063f5 5 API calls 5074->5077 5075->5073 5075->5074 5076 402c87 RegCloseKey 5075->5076 5078 402bff 5 API calls 5075->5078 5080 402c76 5076->5080 5079 402c72 5077->5079 5078->5075 5079->5080 5081 402ca2 RegDeleteKeyW 5079->5081 5080->5072 5081->5080 5083 402bbf 18 API calls 5082->5083 5084 402ce2 5083->5084 5085 402cf0 RegOpenKeyExW 5084->5085 5085->5064 5720 100010e1 5721 10001111 5720->5721 5722 100011d8 GlobalFree 5721->5722 5723 100012ba 2 API calls 5721->5723 5724 100011d3 5721->5724 5725 10001272 2 API calls 5721->5725 5726 10001164 GlobalAlloc 5721->5726 5727 100011f8 GlobalFree 5721->5727 5728 100011c4 GlobalFree 5721->5728 5729 100012e1 lstrcpyW 5721->5729 5723->5721 5724->5722 5725->5728 5726->5721 5727->5721 5728->5721 5729->5721 5730 401ca3 5731 402ba2 18 API calls 5730->5731 5732 401ca9 IsWindow 5731->5732 5733 401a05 5732->5733 5734 403826 5735 403831 5734->5735 5736 403838 GlobalAlloc 5735->5736 5737 403835 5735->5737 5736->5737 5738 402a27 SendMessageW 5739 402a41 InvalidateRect 5738->5739 5740 402a4c 5738->5740 5739->5740 5741 40242a 5742 402cc9 19 API calls 5741->5742 5743 402434 5742->5743 5744 402bbf 18 API calls 5743->5744 5745 40243d 5744->5745 5746 402448 RegQueryValueExW 5745->5746 5750 40281e 5745->5750 5747 40246e RegCloseKey 5746->5747 5748 402468 5746->5748 5747->5750 5748->5747 5752 405f66 wsprintfW 5748->5752 5752->5747 4896 40172d 4897 402bbf 18 API calls 4896->4897 4898 401734 SearchPathW 4897->4898 4899 40174f 4898->4899 5760 404231 lstrlenW 5761 404250 5760->5761 5762 404252 WideCharToMultiByte 5760->5762 5761->5762 5763 4027b4 5764 4027ba 5763->5764 5765 4027c2 FindClose 5764->5765 5766 402a4c 5764->5766 5765->5766 4906 401b37 4907 401b44 4906->4907 4908 401b88 4906->4908 4909 401bcd 4907->4909 4914 401b5b 4907->4914 4910 401bb2 GlobalAlloc 4908->4910 4911 401b8d 4908->4911 4913 406041 18 API calls 4909->4913 4917 402288 4909->4917 4912 406041 18 API calls 4910->4912 4911->4917 4927 40601f lstrcpynW 4911->4927 4912->4909 4916 402282 4913->4916 4925 40601f lstrcpynW 4914->4925 4920 405764 MessageBoxIndirectW 4916->4920 4919 401b9f GlobalFree 4919->4917 4920->4917 4921 401b6a 4926 40601f lstrcpynW 4921->4926 4923 401b79 4928 40601f lstrcpynW 4923->4928 4925->4921 4926->4923 4927->4919 4928->4917 5767 404537 5768 404547 5767->5768 5769 40456d 5767->5769 5770 4040e3 19 API calls 5768->5770 5771 40414a 8 API calls 5769->5771 5772 404554 SetDlgItemTextW 5770->5772 5773 404579 5771->5773 5772->5769 5774 402537 5775 402562 5774->5775 5776 40254b 5774->5776 5778 402596 5775->5778 5779 402567 5775->5779 5777 402ba2 18 API calls 5776->5777 5787 402552 5777->5787 5781 402bbf 18 API calls 5778->5781 5780 402bbf 18 API calls 5779->5780 5782 40256e WideCharToMultiByte lstrlenA 5780->5782 5783 40259d lstrlenW 5781->5783 5782->5787 5783->5787 5784 4025e0 5785 4025ca 5785->5784 5786 405ca6 WriteFile 5785->5786 5786->5784 5787->5784 5787->5785 5788 405cd5 5 API calls 5787->5788 5788->5785 5789 4014b8 5790 4014be 5789->5790 5791 401389 2 API calls 5790->5791 5792 4014c6 5791->5792 4940 4015b9 4941 402bbf 18 API calls 4940->4941 4942 4015c0 4941->4942 4943 405a7e 4 API calls 4942->4943 4955 4015c9 4943->4955 4944 401629 4945 40162e 4944->4945 4948 40165b 4944->4948 4947 401423 25 API calls 4945->4947 4946 405a00 CharNextW 4946->4955 4949 401635 4947->4949 4950 401423 25 API calls 4948->4950 4959 40601f lstrcpynW 4949->4959 4956 401653 4950->4956 4952 4056ca 2 API calls 4952->4955 4953 4056e7 5 API calls 4953->4955 4954 401642 SetCurrentDirectoryW 4954->4956 4955->4944 4955->4946 4955->4952 4955->4953 4957 40160f GetFileAttributesW 4955->4957 4958 40564d 4 API calls 4955->4958 4957->4955 4958->4955 4959->4954 5793 40293b 5794 402ba2 18 API calls 5793->5794 5795 402941 5794->5795 5796 402964 5795->5796 5797 40297d 5795->5797 5806 40281e 5795->5806 5800 402969 5796->5800 5801 40297a 5796->5801 5798 402993 5797->5798 5799 402987 5797->5799 5803 406041 18 API calls 5798->5803 5802 402ba2 18 API calls 5799->5802 5807 40601f lstrcpynW 5800->5807 5808 405f66 wsprintfW 5801->5808 5802->5806 5803->5806 5807->5806 5808->5806 5009 4052bd 5010 405467 5009->5010 5011 4052de GetDlgItem GetDlgItem GetDlgItem 5009->5011 5012 405470 GetDlgItem CreateThread FindCloseChangeNotification 5010->5012 5015 405498 5010->5015 5055 404118 SendMessageW 5011->5055 5012->5015 5058 405251 5 API calls 5012->5058 5014 4054c3 5019 405523 5014->5019 5020 4054cf 5014->5020 5015->5014 5017 4054e8 5015->5017 5018 4054af ShowWindow ShowWindow 5015->5018 5016 40534e 5021 405355 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5016->5021 5025 40414a 8 API calls 5017->5025 5057 404118 SendMessageW 5018->5057 5019->5017 5028 405531 SendMessageW 5019->5028 5023 4054d7 5020->5023 5024 4054fd ShowWindow 5020->5024 5026 4053c3 5021->5026 5027 4053a7 SendMessageW SendMessageW 5021->5027 5029 4040bc SendMessageW 5023->5029 5031 40551d 5024->5031 5032 40550f 5024->5032 5030 4054f6 5025->5030 5034 4053d6 5026->5034 5035 4053c8 SendMessageW 5026->5035 5027->5026 5028->5030 5036 40554a CreatePopupMenu 5028->5036 5029->5017 5033 4040bc SendMessageW 5031->5033 5037 40517e 25 API calls 5032->5037 5033->5019 5039 4040e3 19 API calls 5034->5039 5035->5034 5038 406041 18 API calls 5036->5038 5037->5031 5040 40555a AppendMenuW 5038->5040 5041 4053e6 5039->5041 5042 405577 GetWindowRect 5040->5042 5043 40558a TrackPopupMenu 5040->5043 5044 405423 GetDlgItem SendMessageW 5041->5044 5045 4053ef ShowWindow 5041->5045 5042->5043 5043->5030 5046 4055a5 5043->5046 5044->5030 5049 40544a SendMessageW SendMessageW 5044->5049 5047 405412 5045->5047 5048 405405 ShowWindow 5045->5048 5050 4055c1 SendMessageW 5046->5050 5056 404118 SendMessageW 5047->5056 5048->5047 5049->5030 5050->5050 5051 4055de OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5050->5051 5053 405603 SendMessageW 5051->5053 5053->5053 5054 40562c GlobalUnlock SetClipboardData CloseClipboard 5053->5054 5054->5030 5055->5016 5056->5044 5057->5014 5809 10002a7f 5810 10002a97 5809->5810 5811 1000158f 2 API calls 5810->5811 5812 10002ab2 5811->5812

                                                Executed Functions

                                                Function 0040326A Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 40326a-40329c SetErrorMode GetVersion 1 40329e-4032a6 call 4063f5 0->1 2 4032af-403342 call 406389 * 3 call 4063f5 * 2 #17 OleInitialize SHGetFileInfoW call 40601f GetCommandLineW call 40601f GetModuleHandleW 0->2 1->2 7 4032a8 1->7 20 403344-40334b 2->20 21 40334c-403366 call 405a00 CharNextW 2->21 7->2 20->21 24 40336c-403372 21->24 25 40347e-403498 GetTempPathW call 403239 21->25 27 403374-403379 24->27 28 40337b-403381 24->28 32 4034f0-40350a DeleteFileW call 402dee 25->32 33 40349a-4034b8 GetWindowsDirectoryW lstrcatW call 403239 25->33 27->27 27->28 30 403383-403387 28->30 31 403388-40338c 28->31 30->31 34 403392-403398 31->34 35 40344a-403457 call 405a00 31->35 53 403510-403516 32->53 54 4035bb-4035cc call 40378e OleUninitialize 32->54 33->32 50 4034ba-4034ea GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403239 33->50 39 4033b2-4033eb 34->39 40 40339a-4033a1 34->40 51 403459-40345a 35->51 52 40345b-403461 35->52 43 403408-403442 39->43 44 4033ed-4033f2 39->44 41 4033a3-4033a6 40->41 42 4033a8 40->42 41->39 41->42 42->39 43->35 49 403444-403448 43->49 44->43 48 4033f4-4033fc 44->48 56 403403 48->56 57 4033fe-403401 48->57 49->35 58 403469-403477 call 40601f 49->58 50->32 50->54 51->52 52->24 60 403467 52->60 61 4035ab-4035b2 call 403868 53->61 62 40351c-403527 call 405a00 53->62 71 4036f2-4036f8 54->71 72 4035d2-4035e2 call 405764 ExitProcess 54->72 56->43 57->43 57->56 68 40347c 58->68 60->68 70 4035b7 61->70 73 403575-40357f 62->73 74 403529-40355e 62->74 68->25 70->54 76 403776-40377e 71->76 77 4036fa-403710 GetCurrentProcess OpenProcessToken 71->77 81 403581-40358f call 405adb 73->81 82 4035e8-4035fc call 4056e7 lstrcatW 73->82 78 403560-403564 74->78 79 403780 76->79 80 403784-403788 ExitProcess 76->80 84 403712-403740 LookupPrivilegeValueW AdjustTokenPrivileges 77->84 85 403746-403754 call 4063f5 77->85 86 403566-40356b 78->86 87 40356d-403571 78->87 79->80 81->54 97 403591-4035a7 call 40601f * 2 81->97 98 403609-403623 lstrcatW lstrcmpiW 82->98 99 4035fe-403604 lstrcatW 82->99 84->85 95 403762-40376d ExitWindowsEx 85->95 96 403756-403760 85->96 86->87 91 403573 86->91 87->78 87->91 91->73 95->76 100 40376f-403771 call 40140b 95->100 96->95 96->100 97->61 98->54 102 403625-403628 98->102 99->98 100->76 106 403631 call 4056ca 102->106 107 40362a-40362f call 40564d 102->107 112 403636-403644 SetCurrentDirectoryW 106->112 107->112 114 403651-40367a call 40601f 112->114 115 403646-40364c call 40601f 112->115 119 40367f-40369b call 406041 DeleteFileW 114->119 115->114 122 4036dc-4036e4 119->122 123 40369d-4036ad CopyFileW 119->123 122->119 124 4036e6-4036ed call 405ec0 122->124 123->122 125 4036af-4036cf call 405ec0 call 406041 call 4056ff 123->125 124->54 125->122 134 4036d1-4036d8 CloseHandle 125->134 134->122
                                                APIs
                                                • SetErrorMode.KERNELBASE ref: 0040328C
                                                • GetVersion.KERNEL32 ref: 00403292
                                                • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032E2
                                                • OleInitialize.OLE32(00000000), ref: 004032E9
                                                • SHGetFileInfoW.SHELL32(004206C8,00000000,?,000002B4,00000000), ref: 00403305
                                                • GetCommandLineW.KERNEL32(00428220,NSIS Error), ref: 0040331A
                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\WYnv59N83j.exe",00000000), ref: 0040332D
                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\WYnv59N83j.exe",00000020), ref: 00403354
                                                  • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                  • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348F
                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034A0
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034AC
                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034C0
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C8
                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D9
                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034E1
                                                • DeleteFileW.KERNELBASE(1033), ref: 004034F5
                                                  • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                • OleUninitialize.OLE32(?), ref: 004035C0
                                                • ExitProcess.KERNEL32 ref: 004035E2
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004035F5
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C), ref: 00403604
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040360F
                                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\WYnv59N83j.exe",00000000,?), ref: 0040361B
                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403637
                                                • DeleteFileW.KERNEL32(0041FEC8,0041FEC8,?,0042A000,?), ref: 00403691
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\WYnv59N83j.exe,0041FEC8,00000001), ref: 004036A5
                                                • CloseHandle.KERNEL32(00000000,0041FEC8,0041FEC8,?,0041FEC8,00000000), ref: 004036D2
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403701
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00403708
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040371D
                                                • AdjustTokenPrivileges.ADVAPI32 ref: 00403740
                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403765
                                                • ExitProcess.KERNEL32 ref: 00403788
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                                • String ID: "C:\Users\user\Desktop\WYnv59N83j.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\outsplendour\urite$C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67$C:\Users\user\Desktop$C:\Users\user\Desktop\WYnv59N83j.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                                • API String ID: 3586999533-2745730527
                                                • Opcode ID: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                                • Instruction ID: 47b2dd04bf5340fec55df09ad24e258ddf9dfe897e1895205e314fce2ef220c4
                                                • Opcode Fuzzy Hash: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                                • Instruction Fuzzy Hash: 08D12770604200BAD720BF659D49A3B3AACEB4170AF50487FF441B61D2DB7D9941CB6E
                                                Function 004052BD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 135 4052bd-4052d8 136 405467-40546e 135->136 137 4052de-4053a5 GetDlgItem * 3 call 404118 call 404a1b GetClientRect GetSystemMetrics SendMessageW * 2 135->137 138 405470-405492 GetDlgItem CreateThread FindCloseChangeNotification 136->138 139 405498-4054a5 136->139 155 4053c3-4053c6 137->155 156 4053a7-4053c1 SendMessageW * 2 137->156 138->139 141 4054c3-4054cd 139->141 142 4054a7-4054ad 139->142 147 405523-405527 141->147 148 4054cf-4054d5 141->148 145 4054e8-4054f1 call 40414a 142->145 146 4054af-4054be ShowWindow * 2 call 404118 142->146 159 4054f6-4054fa 145->159 146->141 147->145 150 405529-40552f 147->150 152 4054d7-4054e3 call 4040bc 148->152 153 4054fd-40550d ShowWindow 148->153 150->145 157 405531-405544 SendMessageW 150->157 152->145 160 40551d-40551e call 4040bc 153->160 161 40550f-405518 call 40517e 153->161 163 4053d6-4053ed call 4040e3 155->163 164 4053c8-4053d4 SendMessageW 155->164 156->155 165 405646-405648 157->165 166 40554a-405575 CreatePopupMenu call 406041 AppendMenuW 157->166 160->147 161->160 174 405423-405444 GetDlgItem SendMessageW 163->174 175 4053ef-405403 ShowWindow 163->175 164->163 165->159 172 405577-405587 GetWindowRect 166->172 173 40558a-40559f TrackPopupMenu 166->173 172->173 173->165 176 4055a5-4055bc 173->176 174->165 179 40544a-405462 SendMessageW * 2 174->179 177 405412 175->177 178 405405-405410 ShowWindow 175->178 180 4055c1-4055dc SendMessageW 176->180 181 405418-40541e call 404118 177->181 178->181 179->165 180->180 182 4055de-405601 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 180->182 181->174 184 405603-40562a SendMessageW 182->184 184->184 185 40562c-405640 GlobalUnlock SetClipboardData CloseClipboard 184->185 185->165
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 0040531B
                                                • GetDlgItem.USER32(?,000003EE), ref: 0040532A
                                                • GetClientRect.USER32(?,?), ref: 00405367
                                                • GetSystemMetrics.USER32(00000002), ref: 0040536E
                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538F
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053A0
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053B3
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053C1
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053D4
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F6
                                                • ShowWindow.USER32(?,00000008), ref: 0040540A
                                                • GetDlgItem.USER32(?,000003EC), ref: 0040542B
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040543B
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405454
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405460
                                                • GetDlgItem.USER32(?,000003F8), ref: 00405339
                                                  • Part of subcall function 00404118: SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                • GetDlgItem.USER32(?,000003EC), ref: 0040547D
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005251,00000000), ref: 0040548B
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405492
                                                • ShowWindow.USER32(00000000), ref: 004054B6
                                                • ShowWindow.USER32(?,00000008), ref: 004054BB
                                                • ShowWindow.USER32(00000008), ref: 00405505
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405539
                                                • CreatePopupMenu.USER32 ref: 0040554A
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040555E
                                                • GetWindowRect.USER32(?,?), ref: 0040557E
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405597
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CF
                                                • OpenClipboard.USER32(00000000), ref: 004055DF
                                                • EmptyClipboard.USER32 ref: 004055E5
                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055F1
                                                • GlobalLock.KERNEL32(00000000), ref: 004055FB
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560F
                                                • GlobalUnlock.KERNEL32(00000000), ref: 0040562F
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 0040563A
                                                • CloseClipboard.USER32 ref: 00405640
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                • String ID: {
                                                • API String ID: 4154960007-366298937
                                                • Opcode ID: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                • Instruction ID: 3cf410e3b9716a944c4f9a47a0d896a4f96f7db2f8ccf501d1eae2c46102dad2
                                                • Opcode Fuzzy Hash: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                • Instruction Fuzzy Hash: 85B13A71900208FFDB21AF60DD85AAE7B79FB44355F40803AFA01BA1A0C7755E52DF69
                                                Function 00406041 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 430 406041-40604c 431 40604e-40605d 430->431 432 40605f-406075 430->432 431->432 433 40607b-406088 432->433 434 40628d-406293 432->434 433->434 437 40608e-406095 433->437 435 406299-4062a4 434->435 436 40609a-4060a7 434->436 438 4062a6-4062aa call 40601f 435->438 439 4062af-4062b0 435->439 436->435 440 4060ad-4060b9 436->440 437->434 438->439 442 40627a 440->442 443 4060bf-4060fb 440->443 444 406288-40628b 442->444 445 40627c-406286 442->445 446 406101-40610c GetVersion 443->446 447 40621b-40621f 443->447 444->434 445->434 450 406126 446->450 451 40610e-406112 446->451 448 406221-406225 447->448 449 406254-406258 447->449 453 406235-406242 call 40601f 448->453 454 406227-406233 call 405f66 448->454 456 406267-406278 lstrlenW 449->456 457 40625a-406262 call 406041 449->457 455 40612d-406134 450->455 451->450 452 406114-406118 451->452 452->450 458 40611a-40611e 452->458 468 406247-406250 453->468 454->468 460 406136-406138 455->460 461 406139-40613b 455->461 456->434 457->456 458->450 464 406120-406124 458->464 460->461 466 406177-40617a 461->466 467 40613d-40615a call 405eec 461->467 464->455 471 40618a-40618d 466->471 472 40617c-406188 GetSystemDirectoryW 466->472 475 40615f-406163 467->475 468->456 470 406252 468->470 476 406213-406219 call 4062b3 470->476 473 4061f8-4061fa 471->473 474 40618f-40619d GetWindowsDirectoryW 471->474 477 4061fc-406200 472->477 473->477 478 40619f-4061a9 473->478 474->473 479 406202-406206 475->479 480 406169-406172 call 406041 475->480 476->456 477->476 477->479 482 4061c3-4061d9 SHGetSpecialFolderLocation 478->482 483 4061ab-4061ae 478->483 479->476 485 406208-40620e lstrcatW 479->485 480->477 488 4061f4 482->488 489 4061db-4061f2 SHGetPathFromIDListW CoTaskMemFree 482->489 483->482 487 4061b0-4061b7 483->487 485->476 491 4061bf-4061c1 487->491 488->473 489->477 489->488 491->477 491->482
                                                APIs
                                                • GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,?,004051B5,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,00000000,0040FEC0), ref: 00406104
                                                • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406182
                                                • GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406195
                                                • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061D1
                                                • SHGetPathFromIDListW.SHELL32(?,Call), ref: 004061DF
                                                • CoTaskMemFree.OLE32(?), ref: 004061EA
                                                • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040620E
                                                • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,?,004051B5,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,00000000,0040FEC0), ref: 00406268
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 900638850-3498313719
                                                • Opcode ID: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                • Instruction ID: fd30239bcabdd6b9b5dacf38e9278243e7343c89492a0aeb8152419411716c6f
                                                • Opcode Fuzzy Hash: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                • Instruction Fuzzy Hash: 70614771A00101ABDF209F64CC40AAE37A5AF51314F12817FE916BA2D1D73D89A2CB5E
                                                Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
                                                • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                • GlobalFree.KERNEL32(?), ref: 10001D83
                                                • GlobalFree.KERNEL32(?), ref: 10001D88
                                                • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$Free$lstrcpy$Alloc
                                                • String ID:
                                                • API String ID: 4227406936-0
                                                • Opcode ID: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                • Opcode Fuzzy Hash: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                                • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                Function 00405810 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 692 405810-405836 call 405adb 695 405838-40584a DeleteFileW 692->695 696 40584f-405856 692->696 697 4059cc-4059d0 695->697 698 405858-40585a 696->698 699 405869-405879 call 40601f 696->699 701 405860-405863 698->701 702 40597a-40597f 698->702 705 405888-405889 call 405a1f 699->705 706 40587b-405886 lstrcatW 699->706 701->699 701->702 702->697 704 405981-405984 702->704 707 405986-40598c 704->707 708 40598e-405996 call 406362 704->708 709 40588e-405892 705->709 706->709 707->697 708->697 716 405998-4059ac call 4059d3 call 4057c8 708->716 712 405894-40589c 709->712 713 40589e-4058a4 lstrcatW 709->713 712->713 715 4058a9-4058c5 lstrlenW FindFirstFileW 712->715 713->715 717 4058cb-4058d3 715->717 718 40596f-405973 715->718 734 4059c4-4059c7 call 40517e 716->734 735 4059ae-4059b1 716->735 721 4058f3-405907 call 40601f 717->721 722 4058d5-4058dd 717->722 718->702 720 405975 718->720 720->702 732 405909-405911 721->732 733 40591e-405929 call 4057c8 721->733 724 405952-405962 FindNextFileW 722->724 725 4058df-4058e7 722->725 724->717 728 405968-405969 FindClose 724->728 725->721 729 4058e9-4058f1 725->729 728->718 729->721 729->724 732->724 737 405913-40591c call 405810 732->737 745 40594a-40594d call 40517e 733->745 746 40592b-40592e 733->746 734->697 735->707 736 4059b3-4059c2 call 40517e call 405ec0 735->736 736->697 737->724 745->724 748 405930-405940 call 40517e call 405ec0 746->748 749 405942-405948 746->749 748->724 749->724
                                                APIs
                                                • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WYnv59N83j.exe"), ref: 00405839
                                                • lstrcatW.KERNEL32(00424710,\*.*), ref: 00405881
                                                • lstrcatW.KERNEL32(?,00409014), ref: 004058A4
                                                • lstrlenW.KERNEL32(?,?,00409014,?,00424710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WYnv59N83j.exe"), ref: 004058AA
                                                • FindFirstFileW.KERNEL32(00424710,?,?,?,00409014,?,00424710,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WYnv59N83j.exe"), ref: 004058BA
                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,00409300,0000002E), ref: 0040595A
                                                • FindClose.KERNEL32(00000000), ref: 00405969
                                                Strings
                                                • \*.*, xrefs: 0040587B
                                                • "C:\Users\user\Desktop\WYnv59N83j.exe", xrefs: 00405819
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040581D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\WYnv59N83j.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-613772612
                                                • Opcode ID: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                                • Instruction ID: d8405d9d0b65c0b5bb91e26b2d86fa163654aae1973f92c1c3fedea70a861e09
                                                • Opcode Fuzzy Hash: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                                • Instruction Fuzzy Hash: EA41F271800A18FACB21BB658C49BBF7A78EB81365F10817BF805711D1C77C4D919EAE
                                                Function 004066E3 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                • Instruction ID: 25739d06ab219284b51534763859987154442e2999ed31f69dfe775b8bf1d6bb
                                                • Opcode Fuzzy Hash: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                • Instruction Fuzzy Hash: 09F17671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                Function 00406362 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(75923420,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                • FindClose.KERNEL32(00000000), ref: 00406379
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: XWB
                                                • API String ID: 2295610775-4039527733
                                                • Opcode ID: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                • Instruction ID: b60ab41fd2821b41d0b392bba1ac2053f61c2dcbfada57179e30504603363e2d
                                                • Opcode Fuzzy Hash: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                • Instruction Fuzzy Hash: BBD0123194C1209FD3401778BD0C88B7B989B553317214B72FD2AF23E0C3388C6586D9
                                                Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
                                                • Instruction ID: 5886dfe4bc611d4993f15ed40ae28ce81127269af5662ddb55851ccd49cbf6f1
                                                • Opcode Fuzzy Hash: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
                                                • Instruction Fuzzy Hash: 10F05E71A00115ABC711EFA4DD49AAEB378FF04324F1005BBF105E21E1D6B89A409B29
                                                Function 00403C0B Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 186 403c0b-403c1d 187 403c23-403c29 186->187 188 403d5e-403d6d 186->188 187->188 189 403c2f-403c38 187->189 190 403dbc-403dd1 188->190 191 403d6f-403db7 GetDlgItem * 2 call 4040e3 SetClassLongW call 40140b 188->191 192 403c3a-403c47 SetWindowPos 189->192 193 403c4d-403c50 189->193 195 403e11-403e16 call 40412f 190->195 196 403dd3-403dd6 190->196 191->190 192->193 197 403c52-403c64 ShowWindow 193->197 198 403c6a-403c70 193->198 203 403e1b-403e36 195->203 200 403dd8-403de3 call 401389 196->200 201 403e09-403e0b 196->201 197->198 204 403c72-403c87 DestroyWindow 198->204 205 403c8c-403c8f 198->205 200->201 223 403de5-403e04 SendMessageW 200->223 201->195 208 4040b0 201->208 209 403e38-403e3a call 40140b 203->209 210 403e3f-403e45 203->210 212 40408d-404093 204->212 214 403c91-403c9d SetWindowLongW 205->214 215 403ca2-403ca8 205->215 211 4040b2-4040b9 208->211 209->210 219 403e4b-403e56 210->219 220 40406e-404087 DestroyWindow EndDialog 210->220 212->208 217 404095-40409b 212->217 214->211 221 403d4b-403d59 call 40414a 215->221 222 403cae-403cbf GetDlgItem 215->222 217->208 224 40409d-4040a6 ShowWindow 217->224 219->220 225 403e5c-403ea9 call 406041 call 4040e3 * 3 GetDlgItem 219->225 220->212 221->211 226 403cc1-403cd8 SendMessageW IsWindowEnabled 222->226 227 403cde-403ce1 222->227 223->211 224->208 256 403eb3-403eef ShowWindow KiUserCallbackDispatcher call 404105 EnableWindow 225->256 257 403eab-403eb0 225->257 226->208 226->227 231 403ce3-403ce4 227->231 232 403ce6-403ce9 227->232 234 403d14-403d19 call 4040bc 231->234 235 403cf7-403cfc 232->235 236 403ceb-403cf1 232->236 234->221 237 403d32-403d45 SendMessageW 235->237 238 403cfe-403d04 235->238 236->237 241 403cf3-403cf5 236->241 237->221 242 403d06-403d0c call 40140b 238->242 243 403d1b-403d24 call 40140b 238->243 241->234 252 403d12 242->252 243->221 253 403d26-403d30 243->253 252->234 253->252 260 403ef1-403ef2 256->260 261 403ef4 256->261 257->256 262 403ef6-403f24 GetSystemMenu EnableMenuItem SendMessageW 260->262 261->262 263 403f26-403f37 SendMessageW 262->263 264 403f39 262->264 265 403f3f-403f7d call 404118 call 40601f lstrlenW call 406041 SetWindowTextW call 401389 263->265 264->265 265->203 274 403f83-403f85 265->274 274->203 275 403f8b-403f8f 274->275 276 403f91-403f97 275->276 277 403fae-403fc2 DestroyWindow 275->277 276->208 278 403f9d-403fa3 276->278 277->212 279 403fc8-403ff5 CreateDialogParamW 277->279 278->203 280 403fa9 278->280 279->212 281 403ffb-404052 call 4040e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 279->281 280->208 281->208 286 404054-404067 ShowWindow call 40412f 281->286 288 40406c 286->288 288->212
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C47
                                                • ShowWindow.USER32(?), ref: 00403C64
                                                • DestroyWindow.USER32 ref: 00403C78
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C94
                                                • GetDlgItem.USER32(?,?), ref: 00403CB5
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC9
                                                • IsWindowEnabled.USER32(00000000), ref: 00403CD0
                                                • GetDlgItem.USER32(?,00000001), ref: 00403D7E
                                                • GetDlgItem.USER32(?,00000002), ref: 00403D88
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 00403DA2
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DF3
                                                • GetDlgItem.USER32(?,00000003), ref: 00403E99
                                                • ShowWindow.USER32(00000000,?), ref: 00403EBA
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ECC
                                                • EnableWindow.USER32(?,?), ref: 00403EE7
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFD
                                                • EnableMenuItem.USER32(00000000), ref: 00403F04
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F1C
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2F
                                                • lstrlenW.KERNEL32(00422708,?,00422708,00428220), ref: 00403F58
                                                • SetWindowTextW.USER32(?,00422708), ref: 00403F6C
                                                • ShowWindow.USER32(?,0000000A), ref: 004040A0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID:
                                                • API String ID: 3282139019-0
                                                • Opcode ID: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                • Instruction ID: 61cac7681639d4f9e887145b94be1570fe16d39d0a036e069046cfcd2a92ab20
                                                • Opcode Fuzzy Hash: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                • Instruction Fuzzy Hash: 3BC1C071A04200BBDB316F61ED84E2B3AACEB95705F50053EF601B11F1CB799992DB6E
                                                Function 00403868 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 289 403868-403880 call 4063f5 292 403882-403892 call 405f66 289->292 293 403894-4038cb call 405eec 289->293 301 4038ee-403917 call 403b3e call 405adb 292->301 297 4038e3-4038e9 lstrcatW 293->297 298 4038cd-4038de call 405eec 293->298 297->301 298->297 307 4039a9-4039b1 call 405adb 301->307 308 40391d-403922 301->308 314 4039b3-4039ba call 406041 307->314 315 4039bf-4039e4 LoadImageW 307->315 308->307 309 403928-403942 call 405eec 308->309 313 403947-403950 309->313 313->307 318 403952-403956 313->318 314->315 316 403a65-403a6d call 40140b 315->316 317 4039e6-403a16 RegisterClassW 315->317 331 403a77-403a82 call 403b3e 316->331 332 403a6f-403a72 316->332 320 403b34 317->320 321 403a1c-403a60 SystemParametersInfoW CreateWindowExW 317->321 323 403968-403974 lstrlenW 318->323 324 403958-403965 call 405a00 318->324 329 403b36-403b3d 320->329 321->316 325 403976-403984 lstrcmpiW 323->325 326 40399c-4039a4 call 4059d3 call 40601f 323->326 324->323 325->326 330 403986-403990 GetFileAttributesW 325->330 326->307 335 403992-403994 330->335 336 403996-403997 call 405a1f 330->336 342 403a88-403aa2 ShowWindow call 406389 331->342 343 403b0b-403b0c call 405251 331->343 332->329 335->326 335->336 336->326 350 403aa4-403aa9 call 406389 342->350 351 403aae-403ac0 GetClassInfoW 342->351 346 403b11-403b13 343->346 348 403b15-403b1b 346->348 349 403b2d-403b2f call 40140b 346->349 348->332 352 403b21-403b28 call 40140b 348->352 349->320 350->351 355 403ac2-403ad2 GetClassInfoW RegisterClassW 351->355 356 403ad8-403afb DialogBoxParamW call 40140b 351->356 352->332 355->356 359 403b00-403b09 call 4037b8 356->359 359->329
                                                APIs
                                                  • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                  • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                • lstrcatW.KERNEL32(1033,00422708), ref: 004038E9
                                                • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\outsplendour\urite,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,75923420), ref: 00403969
                                                • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\outsplendour\urite,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000), ref: 0040397C
                                                • GetFileAttributesW.KERNEL32(Call), ref: 00403987
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\outsplendour\urite), ref: 004039D0
                                                  • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                • RegisterClassW.USER32(004281C0), ref: 00403A0D
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A25
                                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A5A
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403A90
                                                • GetClassInfoW.USER32(00000000,RichEdit20W,004281C0), ref: 00403ABC
                                                • GetClassInfoW.USER32(00000000,RichEdit,004281C0), ref: 00403AC9
                                                • RegisterClassW.USER32(004281C0), ref: 00403AD2
                                                • DialogBoxParamW.USER32(?,00000000,00403C0B,00000000), ref: 00403AF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\WYnv59N83j.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\outsplendour\urite$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                • API String ID: 1975747703-2142914895
                                                • Opcode ID: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                • Instruction ID: 2be98759588b12f3ea5babf1b6ec1a1322f2c31473ef1d4f92accd895ea03b39
                                                • Opcode Fuzzy Hash: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                • Instruction Fuzzy Hash: C861A670644200BAD220AF669D45F3B3A6CEB84749F80457FF941B22E2CB7C6D01CA7E
                                                Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 363 402dee-402e3c GetTickCount GetModuleFileNameW call 405bf4 366 402e48-402e76 call 40601f call 405a1f call 40601f GetFileSize 363->366 367 402e3e-402e43 363->367 375 402f63-402f71 call 402d8a 366->375 376 402e7c 366->376 368 403020-403024 367->368 382 402f73-402f76 375->382 383 402fc6-402fcb 375->383 378 402e81-402e98 376->378 380 402e9a 378->380 381 402e9c-402ea5 call 40320c 378->381 380->381 389 402eab-402eb2 381->389 390 402fcd-402fd5 call 402d8a 381->390 385 402f78-402f90 call 403222 call 40320c 382->385 386 402f9a-402fc4 GlobalAlloc call 403222 call 403027 382->386 383->368 385->383 409 402f92-402f98 385->409 386->383 414 402fd7-402fe8 386->414 394 402eb4-402ec8 call 405baf 389->394 395 402f2e-402f32 389->395 390->383 400 402f3c-402f42 394->400 412 402eca-402ed1 394->412 399 402f34-402f3b call 402d8a 395->399 395->400 399->400 405 402f51-402f5b 400->405 406 402f44-402f4e call 4064a6 400->406 405->378 413 402f61 405->413 406->405 409->383 409->386 412->400 418 402ed3-402eda 412->418 413->375 415 402ff0-402ff5 414->415 416 402fea 414->416 419 402ff6-402ffc 415->419 416->415 418->400 420 402edc-402ee3 418->420 419->419 422 402ffe-403019 SetFilePointer call 405baf 419->422 420->400 421 402ee5-402eec 420->421 421->400 423 402eee-402f0e 421->423 426 40301e 422->426 423->383 425 402f14-402f18 423->425 427 402f20-402f28 425->427 428 402f1a-402f1e 425->428 426->368 427->400 429 402f2a-402f2c 427->429 428->413 428->427 429->400
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402DFF
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\WYnv59N83j.exe,00000400,?,?,00000000,00403504,?), ref: 00402E1B
                                                  • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\WYnv59N83j.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                  • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WYnv59N83j.exe,C:\Users\user\Desktop\WYnv59N83j.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00402E67
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\WYnv59N83j.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\WYnv59N83j.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 4283519449-3397537400
                                                • Opcode ID: b725974a6df1d82cb729a900034c9e7c9e4530fc883352e2762ffba139ff69ae
                                                • Instruction ID: cad0cac5a7d3da6b721da94722abfb33afad8597fd9771d3107dd1117b6c1d4f
                                                • Opcode Fuzzy Hash: b725974a6df1d82cb729a900034c9e7c9e4530fc883352e2762ffba139ff69ae
                                                • Instruction Fuzzy Hash: EA51D471901216ABDB209F64DE89B9E7BB8EB04354F20407BF904F62D1C7BC9D419BAD
                                                Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67,?,?,00000031), ref: 004017CD
                                                  • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                  • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00403160), ref: 004051D9
                                                  • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll), ref: 004051EB
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp$C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll$C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67$Call
                                                • API String ID: 1941528284-1228628748
                                                • Opcode ID: 1af66f6b7640f5d51d4aa18a28294518de0f7505a6e023cac1eb676d37d1de9b
                                                • Instruction ID: e39dfb19bb2720adffc224853af95c022162de9bd11196ce21bc9617d3384428
                                                • Opcode Fuzzy Hash: 1af66f6b7640f5d51d4aa18a28294518de0f7505a6e023cac1eb676d37d1de9b
                                                • Instruction Fuzzy Hash: 9041D571900515BACF20BFB5CC45DAF3679EF45328B20427BF422B50E2DB3C8A519A6D
                                                Function 0040517E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 822 40517e-405193 823 405199-4051aa 822->823 824 40524a-40524e 822->824 825 4051b5-4051c1 lstrlenW 823->825 826 4051ac-4051b0 call 406041 823->826 828 4051c3-4051d3 lstrlenW 825->828 829 4051de-4051e2 825->829 826->825 828->824 830 4051d5-4051d9 lstrcatW 828->830 831 4051f1-4051f5 829->831 832 4051e4-4051eb SetWindowTextW 829->832 830->829 833 4051f7-405239 SendMessageW * 3 831->833 834 40523b-40523d 831->834 832->831 833->834 834->824 835 40523f-405242 834->835 835->824
                                                APIs
                                                • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                • lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00403160), ref: 004051D9
                                                • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll), ref: 004051EB
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll
                                                • API String ID: 2531174081-1156247803
                                                • Opcode ID: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                • Instruction ID: 21bddbe199db3e121897d5596c22f00b0e76f5ccd37bc28327e30b1938552548
                                                • Opcode Fuzzy Hash: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                • Instruction Fuzzy Hash: 9E219D71900118BACB219FA5DD84ACFBFB9EF58350F14807AF904B62A0C7798A41CF68
                                                Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 836 4025e5-4025fa call 402ba2 839 402600-402607 836->839 840 402a4c-402a4f 836->840 842 402609 839->842 843 40260c-40260f 839->843 841 402a55-402a5b 840->841 842->843 845 402773-40277b 843->845 846 402615-402624 call 405f7f 843->846 845->840 846->845 849 40262a 846->849 850 402630-402634 849->850 851 4026c9-4026cc 850->851 852 40263a-402655 ReadFile 850->852 854 4026e4-4026f4 call 405c77 851->854 855 4026ce-4026d1 851->855 852->845 853 40265b-402660 852->853 853->845 857 402666-402674 853->857 854->845 864 4026f6 854->864 855->854 858 4026d3-4026de call 405cd5 855->858 860 40267a-40268c MultiByteToWideChar 857->860 861 40272f-40273b call 405f66 857->861 858->845 858->854 860->864 865 40268e-402691 860->865 861->841 867 4026f9-4026fc 864->867 868 402693-40269e 865->868 867->861 870 4026fe-402703 867->870 868->867 871 4026a0-4026c5 SetFilePointer MultiByteToWideChar 868->871 872 402740-402744 870->872 873 402705-40270a 870->873 871->868 874 4026c7 871->874 876 402761-40276d SetFilePointer 872->876 877 402746-40274a 872->877 873->872 875 40270c-40271f 873->875 874->864 875->845 880 402721-402727 875->880 876->845 878 402752-40275f 877->878 879 40274c-402750 877->879 878->845 879->876 879->878 880->850 881 40272d 880->881 881->845
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                  • Part of subcall function 00405CD5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405CEB
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                • String ID: 9
                                                • API String ID: 163830602-2366072709
                                                • Opcode ID: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                • Instruction ID: 56da5788d6d90062f79809d4a3c22d6e203981add65e083e01e3e907f30c056e
                                                • Opcode Fuzzy Hash: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                • Instruction Fuzzy Hash: 3F512774D0021AAADF209F94CA88AAEB779FF04344F50447BE501F72E0D7B99D429B69
                                                Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 882 403027-40303e 883 403040 882->883 884 403047-40304f 882->884 883->884 885 403051 884->885 886 403056-40305b 884->886 885->886 887 40306b-403078 call 40320c 886->887 888 40305d-403066 call 403222 886->888 892 4031c3 887->892 893 40307e-403082 887->893 888->887 896 4031c5-4031c6 892->896 894 403088-4030a8 GetTickCount call 406514 893->894 895 4031ac-4031ae 893->895 906 403202 894->906 908 4030ae-4030b6 894->908 897 4031b0-4031b3 895->897 898 4031f7-4031fb 895->898 900 403205-403209 896->900 901 4031b5 897->901 902 4031b8-4031c1 call 40320c 897->902 903 4031c8-4031ce 898->903 904 4031fd 898->904 901->902 902->892 915 4031ff 902->915 909 4031d0 903->909 910 4031d3-4031e1 call 40320c 903->910 904->906 906->900 912 4030b8 908->912 913 4030bb-4030c9 call 40320c 908->913 909->910 910->892 919 4031e3-4031ef call 405ca6 910->919 912->913 913->892 921 4030cf-4030d8 913->921 915->906 924 4031f1-4031f4 919->924 925 4031a8-4031aa 919->925 923 4030de-4030fb call 406534 921->923 928 403101-403118 GetTickCount 923->928 929 4031a4-4031a6 923->929 924->898 925->896 930 403163-403165 928->930 931 40311a-403122 928->931 929->896 934 403167-40316b 930->934 935 403198-40319c 930->935 932 403124-403128 931->932 933 40312a-40315b MulDiv wsprintfW call 40517e 931->933 932->930 932->933 940 403160 933->940 937 403180-403186 934->937 938 40316d-403172 call 405ca6 934->938 935->908 939 4031a2 935->939 942 40318c-403190 937->942 943 403177-403179 938->943 939->906 940->930 942->923 944 403196 942->944 943->925 945 40317b-40317e 943->945 944->906 945->942
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CountTick$wsprintf
                                                • String ID: ... %d%%
                                                • API String ID: 551687249-2449383134
                                                • Opcode ID: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                • Instruction ID: dc339ecebd5a12fc0f5e273b782e0acc65c92b35cb5ec2ffb99f959b3dc2fe49
                                                • Opcode Fuzzy Hash: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                • Instruction Fuzzy Hash: CC517A71900219ABDB10DF65D904B9F3FA8AF04766F14427BF911BB2C5C7789E408BE9
                                                Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 946 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 953 4023c7-4023cf 946->953 954 402a4c-402a5b 946->954 955 4023d1-4023de call 402bbf lstrlenW 953->955 956 4023e2-4023e5 953->956 955->956 960 4023f5-4023f8 956->960 961 4023e7-4023f4 call 402ba2 956->961 964 402409-40241d RegSetValueExW 960->964 965 4023fa-402404 call 403027 960->965 961->960 968 402422-4024fc RegCloseKey 964->968 969 40241f 964->969 965->964 968->954 971 40281e-402825 968->971 969->968 971->954
                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp
                                                • API String ID: 1356686001-1346317222
                                                • Opcode ID: faa0c319964157a57b2cf8d64ada1b3f5c69c223d93d5798c03e55b357c281b0
                                                • Instruction ID: 7111b63e716528206d7143fef0c5d48aa4ff5df43585b472b347a68cc626e816
                                                • Opcode Fuzzy Hash: faa0c319964157a57b2cf8d64ada1b3f5c69c223d93d5798c03e55b357c281b0
                                                • Instruction Fuzzy Hash: 5B11AE71E00108BFEB10EFA4DD89DAE76BCEB04358F10403AF904B21D1D6B85E419628
                                                Function 0040564D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 972 40564d-405698 CreateDirectoryW 973 40569a-40569c 972->973 974 40569e-4056ab GetLastError 972->974 975 4056c5-4056c7 973->975 974->975 976 4056ad-4056c1 SetFileSecurityW 974->976 976->973 977 4056c3 GetLastError 976->977 977->975
                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                • GetLastError.KERNEL32 ref: 004056A4
                                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B9
                                                • GetLastError.KERNEL32 ref: 004056C3
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405673
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 3449924974-823278215
                                                • Opcode ID: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                • Instruction ID: d2f3f002a39499475f228c0a6bab6309b881bedc09a5d6a8f103fb05119b383a
                                                • Opcode Fuzzy Hash: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                • Instruction Fuzzy Hash: DE010871D14219EAEF119FA0CD047EFBFB8EB14314F10853AD909B6190E779A604CFAA
                                                Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 978 402bff-402c28 RegOpenKeyExW 979 402c93-402c97 978->979 980 402c2a-402c35 978->980 981 402c50-402c60 RegEnumKeyW 980->981 982 402c62-402c74 RegCloseKey call 4063f5 981->982 983 402c37-402c3a 981->983 991 402c76-402c85 982->991 992 402c9a-402ca0 982->992 984 402c87-402c8a RegCloseKey 983->984 985 402c3c-402c4e call 402bff 983->985 989 402c90-402c92 984->989 985->981 985->982 989->979 991->979 992->989 993 402ca2-402cb0 RegDeleteKeyW 992->993 993->989 994 402cb2 993->994 994->979
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                                • Instruction ID: 783455ef39ba97bad4d92773a6bd33e03ba47aaf13af7a3f43d32fd345691cd1
                                                • Opcode Fuzzy Hash: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                                • Instruction Fuzzy Hash: 52115971908118FEEF119F90DE8CEAE3B79FB14384F100476FA05A10A0D3B49E52AA69
                                                Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 996 10001759-10001795 call 10001b18 1000 100018a6-100018a8 996->1000 1001 1000179b-1000179f 996->1001 1002 100017a1-100017a7 call 10002286 1001->1002 1003 100017a8-100017b5 call 100022d0 1001->1003 1002->1003 1008 100017e5-100017ec 1003->1008 1009 100017b7-100017bc 1003->1009 1010 1000180c-10001810 1008->1010 1011 100017ee-1000180a call 100024a9 call 100015b4 call 10001272 GlobalFree 1008->1011 1012 100017d7-100017da 1009->1012 1013 100017be-100017bf 1009->1013 1018 10001812-1000184c call 100015b4 call 100024a9 1010->1018 1019 1000184e-10001854 call 100024a9 1010->1019 1035 10001855-10001859 1011->1035 1012->1008 1014 100017dc-100017dd call 10002b5f 1012->1014 1016 100017c1-100017c2 1013->1016 1017 100017c7-100017c8 call 100028a4 1013->1017 1028 100017e2 1014->1028 1023 100017c4-100017c5 1016->1023 1024 100017cf-100017d5 call 10002645 1016->1024 1031 100017cd 1017->1031 1018->1035 1019->1035 1023->1008 1023->1017 1034 100017e4 1024->1034 1028->1034 1031->1028 1034->1008 1039 10001896-1000189d 1035->1039 1040 1000185b-10001869 call 1000246c 1035->1040 1039->1000 1042 1000189f-100018a0 GlobalFree 1039->1042 1046 10001881-10001888 1040->1046 1047 1000186b-1000186e 1040->1047 1042->1000 1046->1039 1049 1000188a-10001895 call 1000153d 1046->1049 1047->1046 1048 10001870-10001878 1047->1048 1048->1046 1050 1000187a-1000187b FreeLibrary 1048->1050 1049->1039 1050->1046
                                                APIs
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                  • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                  • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                  • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc$Librarylstrcpy
                                                • String ID:
                                                • API String ID: 1791698881-3916222277
                                                • Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                • Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                Function 00405EEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F16
                                                • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F37
                                                • RegCloseKey.KERNELBASE(?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F5A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Call
                                                • API String ID: 3677997916-1824292864
                                                • Opcode ID: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                                • Instruction ID: c601889377c76b9115debbe7433e53646a10130b96f6f591fa827391142cde11
                                                • Opcode Fuzzy Hash: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                                • Instruction Fuzzy Hash: 26010C3255020AEADB218F65ED09E9B3BACEF44350B004026F919D6260D735D964DFA5
                                                Function 00405C23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405C41
                                                • GetTempFileNameW.KERNELBASE(00409300,?,00000000,?,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C5C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-44229769
                                                • Opcode ID: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                • Instruction ID: 4fdac09ee551a982241d11f866b864b283b1b610f450d112551ccb25b2c02e5c
                                                • Opcode Fuzzy Hash: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                • Instruction Fuzzy Hash: 0EF03676B04208BFEB108F55DD49E9BB7ADEB95750F10403AF901F7150E6B0AE548758
                                                Function 00406389 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                • wsprintfW.USER32 ref: 004063DB
                                                • LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                • String ID: %s%S.dll
                                                • API String ID: 2200240437-2744773210
                                                • Opcode ID: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                • Instruction ID: 006adf5c24d44cc190f28e383f23d96ea846dcb1794efbef959ff2cbc64c9496
                                                • Opcode Fuzzy Hash: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                • Instruction Fuzzy Hash: D6F09030910119EBDB14AB68DD4DEAB366CAB00304F104476A906F21E1E77CEA68CBE9
                                                Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                  • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00403160), ref: 004051D9
                                                  • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll), ref: 004051EB
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                  • Part of subcall function 004056FF: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                  • Part of subcall function 004056FF: CloseHandle.KERNEL32(00409300), ref: 00405735
                                                • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 3585118688-0
                                                • Opcode ID: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
                                                • Instruction ID: f6705c9319aae76dbd7499045e6368890872edf6032e54a723c1862b254634bc
                                                • Opcode Fuzzy Hash: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
                                                • Instruction Fuzzy Hash: 7611A131900108EBCF21AFA1CD8499E7AB6EB04314F24407BF601B61E1C7798A819B9D
                                                Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WYnv59N83j.exe"), ref: 00405A8C
                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                  • Part of subcall function 0040564D: CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67,?,00000000,000000F0), ref: 00401645
                                                Strings
                                                • C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67, xrefs: 00401638
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                • String ID: C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67
                                                • API String ID: 1892508949-660862899
                                                • Opcode ID: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
                                                • Instruction ID: 9984d83288963ddb5bfb53596c8c9f6ed7fbdeacdcadece23b283b8c4b9f7bd6
                                                • Opcode Fuzzy Hash: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
                                                • Instruction Fuzzy Hash: 70119331504505EBCF206FA48D4199F3AB1EF44368B24097BEA05B61F2D63A4A819E5E
                                                Function 00405ADB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                  • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WYnv59N83j.exe"), ref: 00405A8C
                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                  • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                • lstrlenW.KERNEL32(00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\WYnv59N83j.exe"), ref: 00405B34
                                                • GetFileAttributesW.KERNELBASE(00424F10,00424F10,00424F10,00424F10,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405B44
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405ADB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 3248276644-823278215
                                                • Opcode ID: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                • Instruction ID: a8deb24d6afa2735206f329f0351f59021ff10951cf48c606255c952c9ad3203
                                                • Opcode Fuzzy Hash: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                • Instruction Fuzzy Hash: CBF04921304E5215D622323A1C44AAF3554CFC1364705073BB861721E1CB3C9943DE7E
                                                Function 004056FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                • CloseHandle.KERNEL32(00409300), ref: 00405735
                                                Strings
                                                • Error launching installer, xrefs: 00405712
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                • Instruction ID: 0e3d6bea0253e84bb75e95f5fd13ebb7f1c25267a9e23a2e11a0c59c818b3a51
                                                • Opcode Fuzzy Hash: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                • Instruction Fuzzy Hash: A1E0BFB4A50209BFEB10AB64ED45F7B77ADE704604F408521BD10F6190D774A9118A79
                                                Function 00406B18 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                • Instruction ID: 5fe4abb7369df3af91b149f2edb7ea720d50bcc67b973f9abb1089395dd24c70
                                                • Opcode Fuzzy Hash: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                • Instruction Fuzzy Hash: C0A14471E00229CBDF28CFA8C8546ADBBB1FF44305F11856AD956BB281C7785A96CF44
                                                Function 00406D19 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                • Instruction ID: 7dc68a506d8d0f3fe9b520a6289ddaa7cfd75a66a39107a8603bac83b987cce9
                                                • Opcode Fuzzy Hash: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                • Instruction Fuzzy Hash: 58912370D00229CBDF28CFA8C854BADBBB1FF44305F15816AD956BB291C7789A96CF44
                                                Function 00406A2F Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                • Instruction ID: aa61b8b4d6b896fc10b82c5715850ba22d426d73d4dcb40af3c311b95fbd5bbf
                                                • Opcode Fuzzy Hash: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                • Instruction Fuzzy Hash: 1B815671E00229CFDF24CFA8C844BADBBB1FB44305F25816AD456BB291C7789A96CF54
                                                Function 00406534 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                • Instruction ID: 6afa8d85982321809285efd67767f231e28451523f56623c0a237c64ba690010
                                                • Opcode Fuzzy Hash: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                • Instruction Fuzzy Hash: 7E816731E00229DBDF24CFA9D844BADBBB0FB44305F11816AE856BB2C0C7785A96DF44
                                                Function 00406982 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                • Instruction ID: b0afa4bf9b2f32aef8b418d90c6ac84aec3754d6d6600e102a8a9184c58ea877
                                                • Opcode Fuzzy Hash: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                • Instruction Fuzzy Hash: FD712471E00229DFDF24CFA8C844BADBBB1FB48305F15806AD846BB290C7395996DF54
                                                Function 00406AA0 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                • Instruction ID: 02d0d75cb83947f83aad45c50880e4a386b83e744e149296eb7fa161ab999f08
                                                • Opcode Fuzzy Hash: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                • Instruction Fuzzy Hash: 08714671E00219CFDF24CFA8C844BADBBB1FB44305F15806AD856BB290C7385956DF44
                                                Function 004069EC Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                • Instruction ID: eb15c3353e008649bdc799d0a197d89dfb60748dd6a42a5e4cae05a50034cddc
                                                • Opcode Fuzzy Hash: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                • Instruction Fuzzy Hash: 67714571E00229DBDF28CF98C844BADBBB1FF44305F11806AD956BB291C7789A66DF44
                                                Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                  • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                  • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00403160), ref: 004051D9
                                                  • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll), ref: 004051EB
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                  • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 334405425-0
                                                • Opcode ID: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
                                                • Instruction ID: 21b843afec6b7294a3944f79e0bc8b5a0bfae5b7739fd4420ef7f1bee797e933
                                                • Opcode Fuzzy Hash: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
                                                • Instruction Fuzzy Hash: D0219531904219FBCF20AFA5CE48A9E7EB1AF00354F60427BF500B51E1C7B98E81DA5E
                                                Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalFree.KERNEL32(00000000), ref: 00401BA7
                                                • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree
                                                • String ID: Call
                                                • API String ID: 3394109436-1824292864
                                                • Opcode ID: c75ea88796058ca8b22c76bcb72d404b7a86f9b33cc07dbe0f48447b8f38d296
                                                • Instruction ID: 6437723b9896d782a6b7fabab6bc3621d1df67fb8e76a078729fc3794235ac76
                                                • Opcode Fuzzy Hash: c75ea88796058ca8b22c76bcb72d404b7a86f9b33cc07dbe0f48447b8f38d296
                                                • Instruction Fuzzy Hash: 5D219672610102ABCB20EFA4CD8595EB7F5EF44314725403BF606B72D1DB7898519F9D
                                                Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406362: FindFirstFileW.KERNELBASE(75923420,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                  • Part of subcall function 00406362: FindClose.KERNEL32(00000000), ref: 00406379
                                                • lstrlenW.KERNEL32 ref: 0040222A
                                                • lstrlenW.KERNEL32(00000000), ref: 00402235
                                                • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FileFindlstrlen$CloseFirstOperation
                                                • String ID:
                                                • API String ID: 1486964399-0
                                                • Opcode ID: 450579e11224428eb85b903523daf66f1f9c0cb95d71209448310f09a175b178
                                                • Instruction ID: a51eb5c21c24ccf5f085ee56c44e06b553b0ed758517026afe0ec9d6213df78e
                                                • Opcode Fuzzy Hash: 450579e11224428eb85b903523daf66f1f9c0cb95d71209448310f09a175b178
                                                • Instruction Fuzzy Hash: AF117071D00218AACB10EFF98D49A9EB7FCAF14314F10817BB805FB2D5D6B8C9018B59
                                                Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Enum$CloseOpenValue
                                                • String ID:
                                                • API String ID: 167947723-0
                                                • Opcode ID: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
                                                • Instruction ID: 9b49ef4685d11130b37b7b0c6276d492a5168a4a944959f4997216c5b5c768b0
                                                • Opcode Fuzzy Hash: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
                                                • Instruction Fuzzy Hash: 1FF06D72A04204BBE7209F659E88ABF766DEF80354B10843AF505B61D0D6B85D419B6A
                                                Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ErrorLast_open
                                                • String ID:
                                                • API String ID: 1632358481-0
                                                • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                                • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 46bcc4b3199a8b76a7f894541cf2928c5a0d53ab3603f3d9be04bc57294c3f71
                                                • Instruction ID: 318f25c97078b56e75ac6278506f01b5a34a300aa28fb7ae5d2085b0d3939190
                                                • Opcode Fuzzy Hash: 46bcc4b3199a8b76a7f894541cf2928c5a0d53ab3603f3d9be04bc57294c3f71
                                                • Instruction Fuzzy Hash: F7117331915205EFDB14CFA4DA489BEB7B4EF44354F20843FE405B72D0D6B85A41DB5A
                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                • Instruction ID: 1e7952006d9e226a8eb598a62733b1cad305e59e596fc6f41a9a7203fe322f79
                                                • Opcode Fuzzy Hash: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                • Instruction Fuzzy Hash: 9401D131B24210EBE7295B389C05B6A3698E720318F10867EB915F62F1DA78DC028B5D
                                                Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValue
                                                • String ID:
                                                • API String ID: 849931509-0
                                                • Opcode ID: cfb8fc06a93b176d0500bd6125704b8e8f0a89c3110928963136810bc9385231
                                                • Instruction ID: 78bc400ea2c38a342dc409f04ff34772de2348df94907e049583a87c4894aa7b
                                                • Opcode Fuzzy Hash: cfb8fc06a93b176d0500bd6125704b8e8f0a89c3110928963136810bc9385231
                                                • Instruction Fuzzy Hash: F2F0AF33A04100ABEB10BFB48A4EABE72699B40314F14843BF501B71D1C9FC9D025629
                                                Function 004063F5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                  • Part of subcall function 00406389: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                  • Part of subcall function 00406389: wsprintfW.USER32 ref: 004063DB
                                                  • Part of subcall function 00406389: LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                • String ID:
                                                • API String ID: 2547128583-0
                                                • Opcode ID: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                • Instruction ID: a9e24e321ddd3f073a9e6a165911cd393abac726806fbc755e3780b1e63cb1a6
                                                • Opcode Fuzzy Hash: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                • Instruction Fuzzy Hash: A7E086326082216BD31157745D4493B67A89BD5740306083EFD06F6181D734AC2296AD
                                                Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                                • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Window$EnableShow
                                                • String ID:
                                                • API String ID: 1136574915-0
                                                • Opcode ID: 5b4dded21515e85cdd7dd763c9abdbba58e278b110e9914daaceba62c2ae1f2f
                                                • Instruction ID: c4cc9d8bc17b60f52f9d6b5ec52db5efc6ce13511ecacb80f957bec5d45ae41a
                                                • Opcode Fuzzy Hash: 5b4dded21515e85cdd7dd763c9abdbba58e278b110e9914daaceba62c2ae1f2f
                                                • Instruction Fuzzy Hash: 69E08C32A04100ABC720AFB5AE8999E3375EF50369B10047BE402F10E1C6BCAC408A6E
                                                Function 00405BF4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\WYnv59N83j.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                • Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
                                                • Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                • Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16
                                                Function 004056CA Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004056D0
                                                • GetLastError.KERNEL32 ref: 004056DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryErrorLast
                                                • String ID:
                                                • API String ID: 1375471231-0
                                                • Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                • Instruction ID: d706e5ae47c7ee36432b9320fd90c1f42ce8b6abbc3a43a90ad219fc8104f268
                                                • Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                • Instruction Fuzzy Hash: 5DC04C30A19602DBDA105B31DD0871B7954AB50742F60CD36610AE51A0DA769811DD3E
                                                Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                  • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FilePointerwsprintf
                                                • String ID:
                                                • API String ID: 327478801-0
                                                • Opcode ID: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
                                                • Instruction ID: 1ea0f4fe546ff0a6cc1a224cb0175f0568d280dd86a823eff906e537ce259dc5
                                                • Opcode Fuzzy Hash: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
                                                • Instruction Fuzzy Hash: DBE01A72A05514ABDB11AFA59E4ACAF766AEB40328B14443BF105F00E1C67D8D019A2E
                                                Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWrite
                                                • String ID:
                                                • API String ID: 390214022-0
                                                • Opcode ID: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                                • Instruction ID: 900e0ed31166daec82b0b067df29ce1ac5916d1a5491b2584b310d9ae4f56f06
                                                • Opcode Fuzzy Hash: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                                • Instruction Fuzzy Hash: 5BE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB511B66C6D5FC1D4146A9
                                                Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: PathSearch
                                                • String ID:
                                                • API String ID: 2203818243-0
                                                • Opcode ID: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
                                                • Instruction ID: 0851ebd2278d1e7daa5b6d30d0a19f3cab84c03b6f2ce2edda3e72f353adab80
                                                • Opcode Fuzzy Hash: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
                                                • Instruction Fuzzy Hash: DAE04F72304100ABD710CFA4DE49AAA77ACDB403A8F20457BE615A61D1E6B49A41972D
                                                Function 00405C77 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040321F,00000000,00000000,00403076,000000FF,00000004,00000000,00000000,00000000), ref: 00405C8B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                • Instruction ID: b406f17295b0c4e2c80a39b4892fee2aa768816fba0af151b3e099c9f54450aa
                                                • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                • Instruction Fuzzy Hash: 3BE08632114259ABDF119E508C04EEB3B5CEB04350F004436F911E3180D230E9209BA4
                                                Function 00405CA6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004031ED,00000000,0040BEC0,?,0040BEC0,?,000000FF,00000004,00000000), ref: 00405CBA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                • Instruction ID: 8766ac6266e8b07294e6d952513c2b0c694ccf73d68c0bd44325f5ff4784c02c
                                                • Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                • Instruction Fuzzy Hash: D4E08C3222835AABEF119E548C00EEB3B6CEB01360F004833F915E3190E231E9209BA8
                                                Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: PrivateProfileString
                                                • String ID:
                                                • API String ID: 1096422788-0
                                                • Opcode ID: 66f8b3e970e184d3ebc304a94ec291b034400799dc8d029390466380a40aecae
                                                • Instruction ID: 98211d2feed0509b4c5daa86fa820328d7278c452558b0b50cc2825d3d111cbc
                                                • Opcode Fuzzy Hash: 66f8b3e970e184d3ebc304a94ec291b034400799dc8d029390466380a40aecae
                                                • Instruction Fuzzy Hash: 64E04F30800204BBDF01AFA4CD49DBD3B79AB00344F14043AF900AB1D5E7F89A809749
                                                Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: a6288d54b80525e4349bfae1f7e543b331b6d0696a7466d7176cefea4ee373d8
                                                • Instruction ID: 1b5af1e6617a4a9cd807fc22027cae36a39ca3b3e6b8606dbe65da2ef404c620
                                                • Opcode Fuzzy Hash: a6288d54b80525e4349bfae1f7e543b331b6d0696a7466d7176cefea4ee373d8
                                                • Instruction Fuzzy Hash: 41D01233B04100DBCB10DFA89A0869D77659B40334B208677D501F21E5D6B9C5515A19
                                                Function 0040412F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                • Instruction ID: 1f6dcfa326d5252f97bf96967583e82957cdc04532489552bbed9deb9ca34131
                                                • Opcode Fuzzy Hash: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                • Instruction Fuzzy Hash: 26C09B757443017BDA318F509D49F27775867A4700F2544397350F70D0C774E451D61D
                                                Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                • Instruction ID: 29b39a71cad52391c8dc255d064a3e1ff9ef0cb324877085b5716ecfb2dd3a49
                                                • Opcode Fuzzy Hash: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                • Instruction Fuzzy Hash: 80B09236A84200BADA214B00ED09F857A62A76C701F008864B300240B0CAB284A2DB19
                                                Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403504,?), ref: 00403230
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                Function 00404105 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00403EDD), ref: 0040410F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                                • Instruction ID: 08b0993790eca83da4683932159a1945e4cd9185bce414af844fcd550f832719
                                                • Opcode Fuzzy Hash: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                                • Instruction Fuzzy Hash: 9AA01132808000ABCA028B80EF08C0ABB22FBE0300B008838F2008003083320820EB0A
                                                Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Sleep
                                                • String ID:
                                                • API String ID: 3472027048-0
                                                • Opcode ID: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
                                                • Instruction ID: 97e26b744c28169e8b025be137c519adc4d29a227e598783c976d4988d520b86
                                                • Opcode Fuzzy Hash: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
                                                • Instruction Fuzzy Hash: 47D0C977B14100ABD720EFB9AE898AB73ACEB513293204833D902E10A2D579D802866D
                                                Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: AllocGlobal
                                                • String ID:
                                                • API String ID: 3761449716-0
                                                • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                                Non-executed Functions

                                                Function 00404AFA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 00404B12
                                                • GetDlgItem.USER32(?,00000408), ref: 00404B1D
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B67
                                                • LoadBitmapW.USER32(0000006E), ref: 00404B7A
                                                • SetWindowLongW.USER32(?,000000FC,004050F2), ref: 00404B93
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA7
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB9
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404BCF
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BDB
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BED
                                                • DeleteObject.GDI32(00000000), ref: 00404BF0
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C1B
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C27
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CBD
                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE8
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CFC
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404D2B
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D39
                                                • ShowWindow.USER32(?,00000005), ref: 00404D4A
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E47
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EAC
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EC1
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE5
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F05
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404F1A
                                                • GlobalFree.KERNEL32(?), ref: 00404F2A
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FA3
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 0040504C
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040505B
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040507B
                                                • ShowWindow.USER32(?,00000000), ref: 004050C9
                                                • GetDlgItem.USER32(?,000003FE), ref: 004050D4
                                                • ShowWindow.USER32(00000000), ref: 004050DB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                • Instruction ID: d9c0fbcad293e7aaadacffa1f228c55c0cff6ebba89157b443eef3cf19c2f35f
                                                • Opcode Fuzzy Hash: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                • Instruction Fuzzy Hash: AF026FB0A00209EFDB209F54DD85AAE7BB5FB84314F10857AF610BA2E1D7799D42CF58
                                                Function 0040457E Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003FB), ref: 004045CD
                                                • SetWindowTextW.USER32(00000000,?), ref: 004045F7
                                                • SHBrowseForFolderW.SHELL32(?), ref: 004046A8
                                                • CoTaskMemFree.OLE32(00000000), ref: 004046B3
                                                • lstrcmpiW.KERNEL32(Call,00422708,00000000,?,?), ref: 004046E5
                                                • lstrcatW.KERNEL32(?,Call), ref: 004046F1
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404703
                                                  • Part of subcall function 00405748: GetDlgItemTextW.USER32(?,?,00000400,0040473A), ref: 0040575B
                                                  • Part of subcall function 004062B3: CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\WYnv59N83j.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                  • Part of subcall function 004062B3: CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                  • Part of subcall function 004062B3: CharNextW.USER32(00409300,"C:\Users\user\Desktop\WYnv59N83j.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                  • Part of subcall function 004062B3: CharPrevW.USER32(00409300,00409300,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                                • GetDiskFreeSpaceW.KERNEL32(004206D8,?,?,0000040F,?,004206D8,004206D8,?,00000001,004206D8,?,?,000003FB,?), ref: 004047C6
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047E1
                                                  • Part of subcall function 0040493A: lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                  • Part of subcall function 0040493A: wsprintfW.USER32 ref: 004049E4
                                                  • Part of subcall function 0040493A: SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: A$C:\Users\user\AppData\Local\outsplendour\urite$Call
                                                • API String ID: 2624150263-3567458089
                                                • Opcode ID: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                • Instruction ID: 5fc8bddc00f1cc174a6dc329f65f284a7a254117467b0892f0b405221262b822
                                                • Opcode Fuzzy Hash: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                • Instruction Fuzzy Hash: D9A150B1D00209ABDB11AFA5CC85AAF77B8EF84315F11843BF611B72D1D77C8A418B69
                                                Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(0040749C,?,00000001,0040748C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                Strings
                                                • C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67, xrefs: 00402154
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: C:\Users\user\AppData\Local\outsplendour\urite\Planarida86\Overfringsfrekvens67
                                                • API String ID: 542301482-660862899
                                                • Opcode ID: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
                                                • Instruction ID: 6cbe38940624da38e40774ab578681f1f604b85ca8fb8198b005fe2b44c0e728
                                                • Opcode Fuzzy Hash: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
                                                • Instruction Fuzzy Hash: A7411D75A00208AFCF00DFA4CD889AD7BB5FF48314B20457AF515EB2D1D7799A41CB55
                                                Function 00404280 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040431E
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404332
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040434F
                                                • GetSysColor.USER32(?), ref: 00404360
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040436E
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040437C
                                                • lstrlenW.KERNEL32(?), ref: 00404381
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040438E
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043A3
                                                • GetDlgItem.USER32(?,0000040A), ref: 004043FC
                                                • SendMessageW.USER32(00000000), ref: 00404403
                                                • GetDlgItem.USER32(?,000003E8), ref: 0040442E
                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404471
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 0040447F
                                                • SetCursor.USER32(00000000), ref: 00404482
                                                • ShellExecuteW.SHELL32(0000070B,open,004271C0,00000000,00000000,00000001), ref: 00404497
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004044A3
                                                • SetCursor.USER32(00000000), ref: 004044A6
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044D5
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: Call$N$open
                                                • API String ID: 3615053054-2563687911
                                                • Opcode ID: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                • Instruction ID: 4b5324550c8b175de7ac8ee9e9744dd98fad869a56f6e91fb07d2f074fcd5292
                                                • Opcode Fuzzy Hash: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                • Instruction Fuzzy Hash: F87172B1A00209BFDB109F60DD85E6A7B69FB84354F00853AF705B62E1C778AD51CFA9
                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextW.USER32(00000000,00428220,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                • Instruction ID: b0ee482b8836f8c5ddb0523b9b95fc6b4c0959077eeb464a3039c1fdf8a9f2d7
                                                • Opcode Fuzzy Hash: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                • Instruction Fuzzy Hash: F6418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF951AA1A0C738EA51DFA5
                                                Function 00405D4E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyW.KERNEL32(00425DA8,NUL), ref: 00405D5D
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00409300,00405EE1,?,?), ref: 00405D81
                                                • GetShortPathNameW.KERNEL32(?,00425DA8,00000400), ref: 00405D8A
                                                  • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                  • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                • GetShortPathNameW.KERNEL32(004265A8,004265A8,00000400), ref: 00405DA7
                                                • wsprintfA.USER32 ref: 00405DC5
                                                • GetFileSize.KERNEL32(00000000,00000000,004265A8,C0000000,00000004,004265A8,?,?,?,?,?), ref: 00405E00
                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0F
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E47
                                                • SetFilePointer.KERNEL32(00409578,00000000,00000000,00000000,00000000,004259A8,00000000,-0000000A,00409578,00000000,[Rename],00000000,00000000,00000000), ref: 00405E9D
                                                • GlobalFree.KERNEL32(00000000), ref: 00405EAE
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB5
                                                  • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\WYnv59N83j.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                  • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                • String ID: %ls=%ls$NUL$[Rename]
                                                • API String ID: 222337774-899692902
                                                • Opcode ID: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                • Instruction ID: 907d7383bdf99192a2874dfd68d01e77647b980fe5b363d6f0c9d0989479472f
                                                • Opcode Fuzzy Hash: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                • Instruction Fuzzy Hash: 88311F71A05B14BBD6206B229C48F6B3A6CDF45755F14043ABE41F62D2DA3CEE018AFD
                                                Function 004062B3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\WYnv59N83j.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                • CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                • CharNextW.USER32(00409300,"C:\Users\user\Desktop\WYnv59N83j.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                • CharPrevW.USER32(00409300,00409300,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                                Strings
                                                • *?|<>/":, xrefs: 00406305
                                                • "C:\Users\user\Desktop\WYnv59N83j.exe", xrefs: 004062F7
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004062B4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\WYnv59N83j.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-3444014775
                                                • Opcode ID: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                • Instruction ID: 54bf27a4ef4c29ba7f7e7f80dc621db20ebbd613429789f6f10e18307ece98db
                                                • Opcode Fuzzy Hash: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                • Instruction Fuzzy Hash: B711946A80021295EB313B198C40AB7B6F8EF59750F56417FED86B32C0E77C5C9286ED
                                                Function 0040414A Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 00404167
                                                • GetSysColor.USER32(00000000), ref: 00404183
                                                • SetTextColor.GDI32(?,00000000), ref: 0040418F
                                                • SetBkMode.GDI32(?,?), ref: 0040419B
                                                • GetSysColor.USER32(?), ref: 004041AE
                                                • SetBkColor.GDI32(?,?), ref: 004041BE
                                                • DeleteObject.GDI32(?), ref: 004041D8
                                                • CreateBrushIndirect.GDI32(?), ref: 004041E2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                • Instruction ID: 457b5273a6ad35ed29f896ddd043663fa6b3a1b95e22c78e57b6691615e2b460
                                                • Opcode Fuzzy Hash: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                • Instruction Fuzzy Hash: 1921A1B1804704ABCB219F68DD4CB4BBBF8AF40710F048A29ED92E62E0D734E944CB65
                                                Function 00404A48 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A63
                                                • GetMessagePos.USER32 ref: 00404A6B
                                                • ScreenToClient.USER32(?,?), ref: 00404A85
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A97
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ABD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                • Instruction ID: 42cc3fd90da340ed33e1658783c39be2c5e0210da91f3d0a8fd677c6224e58ad
                                                • Opcode Fuzzy Hash: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                • Instruction Fuzzy Hash: 19015E71E40218BADB00DB94DD85FFEBBBCAF54711F10016BBB11B61D0D7B8AA058BA5
                                                Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                • MulDiv.KERNEL32(0004B062,00000064,0004B266), ref: 00402D4D
                                                • wsprintfW.USER32 ref: 00402D5D
                                                • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                Strings
                                                • verifying installer: %d%%, xrefs: 00402D57
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                • Instruction ID: 02b4a25e1ca2abb3aa07e0940f0a1006ed88c36cf357b8fab3844828eab6b7e4
                                                • Opcode Fuzzy Hash: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                • Instruction Fuzzy Hash: 3E01F471640209ABEF249F61DD49FEA3B69EB04305F008035FA05A92D1DBB999548F59
                                                Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00401D59
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                • CreateFontIndirectW.GDI32(0040BDD0), ref: 00401DD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID: Calibri
                                                • API String ID: 3808545654-1409258342
                                                • Opcode ID: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                • Instruction ID: f0de02ddeea559f0acc09b7c654b6cc4e6647674a776793065cdf7257ef1e696
                                                • Opcode Fuzzy Hash: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                • Instruction Fuzzy Hash: FF01A231948244BFE701ABB0AE5EBDA7F74EB65305F004479F551B62E2C77810008B6E
                                                Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalFree.KERNEL32(00000000), ref: 10002416
                                                  • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                • String ID:
                                                • API String ID: 4216380887-0
                                                • Opcode ID: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                • Opcode Fuzzy Hash: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                                • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalFree.KERNEL32(?), ref: 10002572
                                                • GlobalFree.KERNEL32(00000000), ref: 100025AD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                • GlobalFree.KERNEL32(?), ref: 004028E9
                                                • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                • CloseHandle.KERNEL32(?), ref: 00402914
                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                • String ID:
                                                • API String ID: 2667972263-0
                                                • Opcode ID: c99e75e815088827c1258b7acf54df8f73be09f40f6a95f4dee1418f96471bdf
                                                • Instruction ID: ec7c0e824f3835a9a78c8c015c1ffbc75d15747d838d6b82ce361eed526a9b83
                                                • Opcode Fuzzy Hash: c99e75e815088827c1258b7acf54df8f73be09f40f6a95f4dee1418f96471bdf
                                                • Instruction Fuzzy Hash: 1B219E72C00118BBCF216FA5CD49D9E7E79EF09324F24027AF520762E1C7796D419BA9
                                                Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsw6C73.tmp$C:\Users\user\AppData\Local\Temp\nsw6C73.tmp\System.dll
                                                • API String ID: 3109718747-1264069262
                                                • Opcode ID: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
                                                • Instruction ID: bfa6d714be92c4527cef4f8895cb5ef110114927b7979418da5827123998f54c
                                                • Opcode Fuzzy Hash: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
                                                • Instruction Fuzzy Hash: AE110A72A41204BEDB10AFB58F4AE9E3669AF54394F20403BF402F61C2D6FC8E41466D
                                                Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: FreeGlobal
                                                • String ID:
                                                • API String ID: 2979337801-0
                                                • Opcode ID: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                • Opcode Fuzzy Hash: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                                • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                • String ID:
                                                • API String ID: 1148316912-0
                                                • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,?), ref: 00401D00
                                                • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
                                                • Instruction ID: fda10597d29eaa6b078217e10feb255e8dba845150ef54d65940bec6a2f4d034
                                                • Opcode Fuzzy Hash: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
                                                • Instruction Fuzzy Hash: 3AF0C972A04104AFDB11DBA4EE88CEEBBBDEB48311B104566F602F61A1C675ED418B39
                                                Function 0040493A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                • wsprintfW.USER32 ref: 004049E4
                                                • SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                • Instruction ID: f455ebafcbecf6c6930287b8ee8bcbe2db44ea01d8d71c40407b913fda14730a
                                                • Opcode Fuzzy Hash: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                • Instruction Fuzzy Hash: D611D87364412867DB10A6BD9C45EAF3288DB85374F250237FA26F61D2DA798C6182D8
                                                Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                • Instruction ID: a67f43666b390050b7c93cc16dc22df3288c4645dfbd1c9967af83c22614668d
                                                • Opcode Fuzzy Hash: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                • Instruction Fuzzy Hash: 7C21B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A409B69
                                                Function 004059D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059D9
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059E3
                                                • lstrcatW.KERNEL32(?,00409014), ref: 004059F5
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-823278215
                                                • Opcode ID: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                • Instruction ID: e27ca5b6c843e4ca6b7b7419ee0e736cc2f4fee1b15a20ddc9c218eb8b1253ea
                                                • Opcode Fuzzy Hash: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                • Instruction Fuzzy Hash: 1DD0A761101930AAC212E7488C00DDF729CAE55345341003BF107B30B1C7781D5287FE
                                                Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403504,?), ref: 00402D9D
                                                • GetTickCount.KERNEL32 ref: 00402DBB
                                                • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                • ShowWindow.USER32(00000000,00000005,?,?,00000000,00403504,?), ref: 00402DE6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                • Instruction ID: e23ac89653febb243e72dcf23735aaa2031a226b5032255065ec6e4c9dbb6a99
                                                • Opcode Fuzzy Hash: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                • Instruction Fuzzy Hash: B3F0F431909220EBC6516B54FD4C9DB7F75FB4571270149B7F001B11E4D7B95C818BAD
                                                Function 004050F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00405121
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405172
                                                  • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                • Instruction ID: 7511a9737e1ae187a562f2e55163cfa394ea92b9daba136d2a61478abf79871a
                                                • Opcode Fuzzy Hash: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                • Instruction Fuzzy Hash: 41015E71A40709BBDF219F11DD84B6B3626E794754F144136FA017E1D1C3BA8C919E2D
                                                Function 004037D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,004037AB,004035C0,?), ref: 004037ED
                                                • GlobalFree.KERNEL32(?), ref: 004037F4
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-823278215
                                                • Opcode ID: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                • Instruction ID: 66f8bddb8dfdb1964ca55d912e2b06e4102c5475863404a2afc710826c1672a2
                                                • Opcode Fuzzy Hash: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                • Instruction Fuzzy Hash: CAE0C2B39051206BC7311F04EC08B1AB7BC7F88B32F05416AE8407B3B087742C528BC9
                                                Function 00405A1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WYnv59N83j.exe,C:\Users\user\Desktop\WYnv59N83j.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A25
                                                • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\WYnv59N83j.exe,C:\Users\user\Desktop\WYnv59N83j.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A35
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-1246513382
                                                • Opcode ID: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                • Instruction ID: 5bbf66532c1e6c52d9ac91e78c5b81189c295a76ad9a8eb5813a93f974e07d29
                                                • Opcode Fuzzy Hash: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                • Instruction Fuzzy Hash: 95D05EB29109209AD322A708DC419AF73ACEF113407464466F401A31A5D3785D818AAA
                                                Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                • GlobalFree.KERNEL32(?), ref: 10001203
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4474613506.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.4474564237.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474660573.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.4474705337.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                Function 00405B59 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B81
                                                • CharNextA.USER32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B92
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4469228302.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4469168028.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469266143.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469386578.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4469723496.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_WYnv59N83j.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                • Instruction ID: 1b7cebc677eab2b4d2404c83280ad7709bae0e65096c4b9ca61da70a623928b5
                                                • Opcode Fuzzy Hash: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                • Instruction Fuzzy Hash: B9F06231504558AFC7029BA5DD40D9FBBB8EF06250B2540A9E800F7351D674FE019BA9