Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Eclf71HXa1.exe

Overview

General Information

Sample name:Eclf71HXa1.exe
renamed because original name is a hash value
Original sample name:9f478308a636906db8c36e77ce68b4c2.exe
Analysis ID:1466585
MD5:9f478308a636906db8c36e77ce68b4c2
SHA1:369b818537e16c4c038ce0779bb031ba6980db9c
SHA256:544095b7f34939172ea5bd6544be4c82357921f3153d17ac0e4b1b93dc363de4
Tags:64exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Excessive usage of taskkill to terminate processes
Potentially malicious time measurement code found
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • Eclf71HXa1.exe (PID: 6280 cmdline: "C:\Users\user\Desktop\Eclf71HXa1.exe" MD5: 9F478308A636906DB8C36E77CE68B4C2)
    • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Eclf71HXa1.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\Eclf71HXa1.exe" MD5: 9F478308A636906DB8C36E77CE68B4C2)
      • cmd.exe (PID: 6332 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4564 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3716 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3492 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6664 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2004 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1608 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 396 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6308 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6492 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 7004 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6668 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5144 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2108 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7000 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5480 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1860 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6932 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 180 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 396 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6476 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2124 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2676 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5144 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6688 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2004 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6448 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6548 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3468 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5324 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2664 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1900 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3716 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2124 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7000 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6400 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6424 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1196 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5300 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6908 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1076 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2004 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2124 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3716 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6400 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 7000 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • MpCmdRun.exe (PID: 2676 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
        • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2944 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6688 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5660 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2004 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1076 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2108 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1696 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1020 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5324 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4476 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3300 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5568 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4308 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3484 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6248 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6300 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6440 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6488 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6660 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6980 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7120 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5444 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4488 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6424 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7024 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3716 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2424 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5680 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1516 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1144 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4476 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5324 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5936 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5064 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6204 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2056 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6408 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6312 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6644 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3396 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7040 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6980 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2128 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3624 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7140 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 340 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6400 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4364 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2300 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4812 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1352 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6640 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5660 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2596 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6108 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1020 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2676 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6016 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5904 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4340 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2364 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1888 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5568 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4956 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3484 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6248 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3636 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6456 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6644 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6680 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7092 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5472 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3668 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 7120 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3896 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4336 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1716 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1820 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5180 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2920 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3900 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1420 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4588 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4040 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1404 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2668 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3756 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4180 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4556 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5124 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 504 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2208 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3128 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5848 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3412 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3716 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2596 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5660 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2424 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5468 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1516 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4420 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 928 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 932 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1868 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1460 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6396 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5936 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6276 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6204 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5232 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2688 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4928 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5216 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6488 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5600 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2140 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6120 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4828 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5284 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6236 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6344 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6380 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6536 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6704 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5444 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6776 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6812 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 412 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6880 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6996 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6208 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5144 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 7004 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6180 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1276 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 884 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 332 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5016 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1284 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1028 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2248 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2176 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3916 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3868 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 944 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 4324 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 4020 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5436 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2720 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6100 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5632 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5212 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2200 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2852 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1848 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2344 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 3592 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2108 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2936 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5992 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5680 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2596 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 1144 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2424 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2676 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 1516 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6228 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6584 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6300 cmdline: taskkill /f /im rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3872 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2352 cmdline: taskkill /f /im rdp_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5608 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 940 cmdline: taskkill /f /im rdp_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3396 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2188 cmdline: taskkill /f /im wrm_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5596 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5600 cmdline: taskkill /f /im wrm_modul_v2.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2316 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6120 cmdline: taskkill /f /im wrm_modul_v3.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2500 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2564 cmdline: taskkill /f /im ape_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 2836 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 2832 cmdline: taskkill /f /im full_rdp_modul_v1.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6368 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6252 cmdline: taskkill /f /im rdp.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 6560 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6680 cmdline: taskkill /f /im wrm_modul_v4.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 3448 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 5444 cmdline: taskkill /f /im nl.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 7040 cmdline: C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • taskkill.exe (PID: 6776 cmdline: taskkill /f /im WerFault.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Eclf71HXa1.exeReversingLabs: Detection: 13%
Source: Eclf71HXa1.exeVirustotal: Detection: 28%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy,2_2_00007FFE004C1249
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D40B0 CRYPTO_clear_free,2_2_00007FFE004D40B0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1B9F CRYPTO_free,CRYPTO_malloc,2_2_00007FFE004C1B9F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00512110 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy,2_2_00007FFE00512110
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1E97 memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_memcmp,2_2_00007FFE004C1E97
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1EA1 CRYPTO_strdup,CRYPTO_free,2_2_00007FFE004C1EA1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1B0E memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,2_2_00007FFE004C1B0E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1F5F CRYPTO_strdup,2_2_00007FFE004C1F5F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C20FB CRYPTO_malloc,2_2_00007FFE004C20FB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004EC0F0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,2_2_00007FFE004EC0F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE005081AE CRYPTO_free,CRYPTO_free,2_2_00007FFE005081AE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050A190 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,2_2_00007FFE0050A190
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C19E7 CRYPTO_malloc,ERR_put_error,CRYPTO_free,2_2_00007FFE004C19E7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C19B5 CRYPTO_malloc,2_2_00007FFE004C19B5
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1C1C EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,2_2_00007FFE004C1C1C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2130 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,2_2_00007FFE004C2130
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004EC290 CRYPTO_free,CRYPTO_free,2_2_00007FFE004EC290
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2239 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,2_2_00007FFE004C2239
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE005263A0 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,2_2_00007FFE005263A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004EC380 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,2_2_00007FFE004EC380
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C4407 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,2_2_00007FFE004C4407
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D8430 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,2_2_00007FFE004D8430
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C18CA CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C18CA
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C150F CRYPTO_free,2_2_00007FFE004C150F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C1357
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C24F5 CRYPTO_free,2_2_00007FFE004C24F5
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DA530 CRYPTO_THREAD_run_once,2_2_00007FFE004DA530
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1EEC EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,2_2_00007FFE004C1EEC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E44C0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFE004E44C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64,2_2_00007FFE004C1230
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004EC540 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error,2_2_00007FFE004EC540
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C8560 CRYPTO_zalloc,ERR_put_error,2_2_00007FFE004C8560
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C8610 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,2_2_00007FFE004C8610
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C4630 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,2_2_00007FFE004C4630
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F2620 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,2_2_00007FFE004F2620
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050A5D0 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,2_2_00007FFE0050A5D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C17B2 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FFE004C17B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1F82 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,2_2_00007FFE004C1F82
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1FA0 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,2_2_00007FFE004C1FA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C22C5 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C22C5
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DC710 CRYPTO_get_ex_new_index,2_2_00007FFE004DC710
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F6700 CRYPTO_free,2_2_00007FFE004F6700
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C184D CRYPTO_free,2_2_00007FFE004C184D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00510740 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE00510740
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F6770 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,2_2_00007FFE004F6770
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DC770 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,2_2_00007FFE004DC770
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1D9D CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C1D9D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE005107E0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,2_2_00007FFE005107E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1726 CRYPTO_free,CRYPTO_strndup,2_2_00007FFE004C1726
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051E910 EVP_PKEY_CTX_new,X509_get0_pubkey,ERR_clear_error,EVP_PKEY_decrypt,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_free,2_2_00007FFE0051E910
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C252C CRYPTO_malloc,ERR_put_error,BIO_snprintf,2_2_00007FFE004C252C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1B40 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,2_2_00007FFE004C1B40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1BEF ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,2_2_00007FFE004C1BEF
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050A940 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,2_2_00007FFE0050A940
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050CA20 CRYPTO_free,CRYPTO_free,2_2_00007FFE0050CA20
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1B54 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFE004C1B54
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F89D0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,2_2_00007FFE004F89D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CEA80 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,2_2_00007FFE004CEA80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2063 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,2_2_00007FFE004C2063
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DEA40 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,2_2_00007FFE004DEA40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00506A70 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE00506A70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FEA60 CRYPTO_realloc,2_2_00007FFE004FEA60
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C23D3 CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,2_2_00007FFE004C23D3
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F4AD0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,2_2_00007FFE004F4AD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00520AF0 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE00520AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C8AF0 CRYPTO_free,2_2_00007FFE004C8AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C24BE CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C24BE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051CBB0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE0051CBB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1848 CRYPTO_zalloc,CRYPTO_free,2_2_00007FFE004C1848
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F2BA0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,2_2_00007FFE004F2BA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D6B53 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error,2_2_00007FFE004D6B53
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1253 CRYPTO_free,2_2_00007FFE004C1253
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051EC80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,2_2_00007FFE0051EC80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FECA0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE004FECA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D6C53 ERR_put_error,CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004D6C53
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F6C50 CRYPTO_free,2_2_00007FFE004F6C50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C23C4 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C23C4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C18B6 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,2_2_00007FFE004C18B6
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00506D00 CRYPTO_free,CRYPTO_strndup,2_2_00007FFE00506D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C212B EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,CRYPTO_memcmp,memcpy,memcpy,2_2_00007FFE004C212B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050ACC0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,2_2_00007FFE0050ACC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F6CF0 CRYPTO_free,CRYPTO_free,2_2_00007FFE004F6CF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C191A ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,BIO_up_ref,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,2_2_00007FFE004C191A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C179E CRYPTO_free,2_2_00007FFE004C179E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00512DB0 CRYPTO_malloc,memcpy,2_2_00007FFE00512DB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,2_2_00007FFE004C1028
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E8D80 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,2_2_00007FFE004E8D80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2301 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C2301
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004ECD70 CRYPTO_malloc,CRYPTO_clear_free,2_2_00007FFE004ECD70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C8E00 CRYPTO_malloc,ERR_put_error,2_2_00007FFE004C8E00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051AEB0 CRYPTO_memcmp,2_2_00007FFE0051AEB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F6EB0 CRYPTO_free,2_2_00007FFE004F6EB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F6E40 CRYPTO_free,2_2_00007FFE004F6E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0052AE40 memset,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,2_2_00007FFE0052AE40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFE004C141F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00526F30 CRYPTO_free,CRYPTO_malloc,ERR_put_error,2_2_00007FFE00526F30
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00510F00 CRYPTO_free,2_2_00007FFE00510F00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C18C0 ERR_put_error,CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004C18C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1A05 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,2_2_00007FFE004C1A05
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051EF80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,2_2_00007FFE0051EF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C242D CRYPTO_free,CRYPTO_memdup,ERR_put_error,2_2_00007FFE004C242D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2275 CRYPTO_free,2_2_00007FFE004C2275
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C9020 CRYPTO_zalloc,ERR_put_error,2_2_00007FFE004C9020
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E2FD0 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,2_2_00007FFE004E2FD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E8FE0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,2_2_00007FFE004E8FE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1ACD CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFE004C1ACD
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2496 CRYPTO_free,CRYPTO_malloc,memcpy,2_2_00007FFE004C2496
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D9040 ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,2_2_00007FFE004D9040
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004EF0E0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFE004EF0E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1AFF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,2_2_00007FFE004C1AFF
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F7150 CRYPTO_free,2_2_00007FFE004F7150
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1F55 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C1F55
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1C3A X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,2_2_00007FFE004C1C3A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C165E CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C165E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D7290 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,2_2_00007FFE004D7290
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C10A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,2_2_00007FFE004C10A5
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1C03 CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004C1C03
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,2_2_00007FFE004C1005
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2176 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,2_2_00007FFE004C2176
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2144 CRYPTO_free,CRYPTO_malloc,RAND_bytes,2_2_00007FFE004C2144
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1D7F BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004C1D7F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DD3E0 CRYPTO_THREAD_run_once,2_2_00007FFE004DD3E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C207C CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,2_2_00007FFE004C207C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051F4A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,2_2_00007FFE0051F4A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1690 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FFE004C1690
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1681 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C1681
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1AB9 CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C1AB9
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00503440 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,2_2_00007FFE00503440
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C186B CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C186B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E546A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,2_2_00007FFE004E546A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C9510 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,2_2_00007FFE004C9510
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FF4D0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE004FF4D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,2_2_00007FFE004C101E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFE004C125D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F9570 CRYPTO_memcmp,2_2_00007FFE004F9570
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C12E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C12E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C20DB CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,2_2_00007FFE004C20DB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C24B9 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,2_2_00007FFE004C24B9
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050F640 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,2_2_00007FFE0050F640
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00517720 CRYPTO_memcmp,2_2_00007FFE00517720
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DF6F0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,2_2_00007FFE004DF6F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0052B7A0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,2_2_00007FFE0052B7A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E1790 CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004E1790
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FF7A0 CRYPTO_free,CRYPTO_free,2_2_00007FFE004FF7A0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C9770 CRYPTO_malloc,ERR_put_error,CRYPTO_free,2_2_00007FFE004C9770
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F9810 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004F9810
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1505 CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,2_2_00007FFE004C1505
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1F0F CRYPTO_free,CRYPTO_malloc,memcpy,2_2_00007FFE004C1F0F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE005078A7 CRYPTO_clear_free,2_2_00007FFE005078A7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E3900 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004E3900
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,2_2_00007FFE004C1104
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C22B1 ERR_put_error,CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004C22B1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00511960 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,2_2_00007FFE00511960
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C16E0 CRYPTO_zalloc,2_2_00007FFE004C16E0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DD940 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,2_2_00007FFE004DD940
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DF960 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,2_2_00007FFE004DF960
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F9A30 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,2_2_00007FFE004F9A30
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DDA30 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,2_2_00007FFE004DDA30
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1CC6 CRYPTO_malloc,COMP_expand_block,2_2_00007FFE004C1CC6
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FFA50 CRYPTO_memcmp,2_2_00007FFE004FFA50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1D43 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,2_2_00007FFE004C1D43
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C17CB CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,2_2_00007FFE004C17CB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C16B3 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,2_2_00007FFE004C16B3
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00517AE0 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE00517AE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C21AD memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,2_2_00007FFE004C21AD
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1EF1 CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,2_2_00007FFE004C1EF1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,2_2_00007FFE004C109B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C7BA0 CRYPTO_free,2_2_00007FFE004C7BA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DBB70 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,2_2_00007FFE004DBB70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D9B70 CRYPTO_free,CRYPTO_strndup,2_2_00007FFE004D9B70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CDBE0 CRYPTO_free,2_2_00007FFE004CDBE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C22F7 CRYPTO_free,2_2_00007FFE004C22F7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CDC90 CRYPTO_free,2_2_00007FFE004CDC90
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F3C80 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,2_2_00007FFE004F3C80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DDC70 CRYPTO_THREAD_run_once,2_2_00007FFE004DDC70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00517D00 CRYPTO_free,CRYPTO_strndup,2_2_00007FFE00517D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1E4C CRYPTO_clear_free,2_2_00007FFE004C1E4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C17D0 CRYPTO_malloc,memcpy,2_2_00007FFE004C17D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C7CF0 CRYPTO_free,2_2_00007FFE004C7CF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CDCF0 CRYPTO_free,2_2_00007FFE004CDCF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00519CDC CRYPTO_free,CRYPTO_memdup,2_2_00007FFE00519CDC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FFD80 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004FFD80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CFDB0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,2_2_00007FFE004CFDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CDDA0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,2_2_00007FFE004CDDA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E5D50 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,2_2_00007FFE004E5D50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D7D40 CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004D7D40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F7DD0 CRYPTO_zalloc,CRYPTO_free,2_2_00007FFE004F7DD0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C7DF0 CRYPTO_zalloc,ERR_put_error,2_2_00007FFE004C7DF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1E56 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,2_2_00007FFE004C1E56
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1CD5 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,2_2_00007FFE004C1CD5
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F3E40 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,2_2_00007FFE004F3E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D5E70 CRYPTO_free,CRYPTO_strdup,2_2_00007FFE004D5E70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00507E6F CRYPTO_malloc,2_2_00007FFE00507E6F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1B8B CRYPTO_free,CRYPTO_malloc,2_2_00007FFE004C1B8B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C1208
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0050BEF0 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE0050BEF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1AB4 CRYPTO_free,2_2_00007FFE004C1AB4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D5FAA CRYPTO_free,2_2_00007FFE004D5FAA
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C7F50 CRYPTO_zalloc,ERR_put_error,2_2_00007FFE004C7F50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004FFF70 CRYPTO_free,CRYPTO_strndup,2_2_00007FFE004FFF70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C15C8 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,2_2_00007FFE004C15C8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E2010 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,2_2_00007FFE004E2010
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C210D HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,2_2_00007FFE004C210D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C2243 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,2_2_00007FFE004C2243
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C402B BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,2_2_00007FFE004C402B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C9FC0 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,2_2_00007FFE004C9FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00517FC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,2_2_00007FFE00517FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00509FC0 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,2_2_00007FFE00509FC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C14FB CRYPTO_free,CRYPTO_memdup,ERR_put_error,2_2_00007FFE004C14FB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D7FE0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,2_2_00007FFE004D7FE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CDFE0 CRYPTO_malloc,2_2_00007FFE004CDFE0
Source: Eclf71HXa1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905401585.00007FFE11EBE000.00000002.00000001.01000000.0000000A.sdmp, _bz2.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdbGCTL source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905252984.00007FFE1030D000.00000002.00000001.01000000.0000000E.sdmp, _ssl.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905507486.00007FFE11ED9000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905828042.00007FFE12E15000.00000002.00000001.01000000.0000000C.sdmp, _hashlib.pyd.0.dr
Source: Binary string: C:\A\6\b\libssl-1_1.pdb?? source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source: Binary string: .PdB] source: Eclf71HXa1.exe
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904573844.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905927859.00007FFE130C3000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905609905.00007FFE126D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source: Binary string: vcruntime140.amd64.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117976F0 FindFirstFileExW,FindClose,0_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117976F0 FindFirstFileExW,FindClose,2_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,2_2_00007FFDFB134462
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 77.221.149.185:5988
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: unknownTCP traffic detected without corresponding DNS query: 77.221.149.185
Source: Eclf71HXa1.exe, 00000002.00000002.2903163468.000002492F0E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org/techtonik/python-pager
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org/techtonik/python-wget/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://greenbytes.de/tech/tc2231/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0N
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pypi.python.org/pypi/wget/
Source: python38.dll.0.drString found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/
Source: Eclf71HXa1.exe, 00000000.00000003.1661863248.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2903203946.000002492F120000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Eclf71HXa1.exe, 00000002.00000002.2902566713.000002492EB90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC52C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
Source: cmd.exeProcess created: 213
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B6A4C0_2_00007FF6117B6A4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B06D40_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A12C00_2_00007FF6117A12C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A32F00_2_00007FF6117A32F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B5B000_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A9AA00_2_00007FF6117A9AA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A01CC0_2_00007FF6117A01CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B3A100_2_00007FF6117B3A10
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A2A280_2_00007FF6117A2A28
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B06D40_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B65000_2_00007FF6117B6500
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF611797C700_2_00007FF611797C70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A7C980_2_00007FF6117A7C98
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117AE3B80_2_00007FF6117AE3B8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179FBB80_2_00007FF61179FBB8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A03D80_2_00007FF6117A03D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A83500_2_00007FF6117A8350
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A5B500_2_00007FF6117A5B50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A16580_2_00007FF6117A1658
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B16740_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B3EAC0_2_00007FF6117B3EAC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179FDBC0_2_00007FF61179FDBC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A05DC0_2_00007FF6117A05DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A25F00_2_00007FF6117A25F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117A2E2C0_2_00007FF6117A2E2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117ADD380_2_00007FF6117ADD38
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B5D7C0_2_00007FF6117B5D7C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117988EB0_2_00007FF6117988EB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179911D0_2_00007FF61179911D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117AD8A40_2_00007FF6117AD8A4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179FFC80_2_00007FF61179FFC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B98080_2_00007FF6117B9808
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179874B0_2_00007FF61179874B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B6A4C2_2_00007FF6117B6A4C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A12C02_2_00007FF6117A12C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A32F02_2_00007FF6117A32F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B5B002_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A9AA02_2_00007FF6117A9AA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A01CC2_2_00007FF6117A01CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B3A102_2_00007FF6117B3A10
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A2A282_2_00007FF6117A2A28
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B06D42_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B65002_2_00007FF6117B6500
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF611797C702_2_00007FF611797C70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A7C982_2_00007FF6117A7C98
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117AE3B82_2_00007FF6117AE3B8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179FBB82_2_00007FF61179FBB8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A03D82_2_00007FF6117A03D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A83502_2_00007FF6117A8350
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A5B502_2_00007FF6117A5B50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B06D42_2_00007FF6117B06D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A16582_2_00007FF6117A1658
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B16742_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B3EAC2_2_00007FF6117B3EAC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179FDBC2_2_00007FF61179FDBC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A05DC2_2_00007FF6117A05DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A25F02_2_00007FF6117A25F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117A2E2C2_2_00007FF6117A2E2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117ADD382_2_00007FF6117ADD38
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B5D7C2_2_00007FF6117B5D7C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117988EB2_2_00007FF6117988EB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179911D2_2_00007FF61179911D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117AD8A42_2_00007FF6117AD8A4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179FFC82_2_00007FF61179FFC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B98082_2_00007FF6117B9808
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179874B2_2_00007FF61179874B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB26FB702_2_00007FFDFB26FB70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1312C12_2_00007FFDFB1312C1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB363B802_2_00007FFDFB363B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1340252_2_00007FFDFB134025
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2CBA702_2_00007FFDFB2CBA70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB19FB002_2_00007FFDFB19FB00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13385F2_2_00007FFDFB13385F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134B242_2_00007FFDFB134B24
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133C1A2_2_00007FFDFB133C1A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1325042_2_00007FFDFB132504
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132BC62_2_00007FFDFB132BC6
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13513C2_2_00007FFDFB13513C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2DFF802_2_00007FFDFB2DFF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB25BFA02_2_00007FFDFB25BFA0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2C7E702_2_00007FFDFB2C7E70
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1371942_2_00007FFDFB137194
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13135C2_2_00007FFDFB13135C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14BF202_2_00007FFDFB14BF20
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14BD602_2_00007FFDFB14BD60
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13200E2_2_00007FFDFB13200E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131B952_2_00007FFDFB131B95
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1348CC2_2_00007FFDFB1348CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132A272_2_00007FFDFB132A27
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14F2002_2_00007FFDFB14F200
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134B742_2_00007FFDFB134B74
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1352272_2_00007FFDFB135227
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1325132_2_00007FFDFB132513
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14F0602_2_00007FFDFB14F060
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133EB32_2_00007FFDFB133EB3
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131B722_2_00007FFDFB131B72
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1318892_2_00007FFDFB131889
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1311DB2_2_00007FFDFB1311DB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13282E2_2_00007FFDFB13282E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB15B8502_2_00007FFDFB15B850
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133DBE2_2_00007FFDFB133DBE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1346512_2_00007FFDFB134651
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB25B6002_2_00007FFDFB25B600
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB15B4C02_2_00007FFDFB15B4C0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2C74F02_2_00007FFDFB2C74F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB135B912_2_00007FFDFB135B91
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1367172_2_00007FFDFB136717
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1360D72_2_00007FFDFB1360D7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133EA42_2_00007FFDFB133EA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1312A82_2_00007FFDFB1312A8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1352042_2_00007FFDFB135204
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1369F62_2_00007FFDFB1369F6
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131AE12_2_00007FFDFB131AE1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131EB02_2_00007FFDFB131EB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB21A8702_2_00007FFDFB21A870
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13105F2_2_00007FFDFB13105F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131F732_2_00007FFDFB131F73
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2CA9102_2_00007FFDFB2CA910
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1365962_2_00007FFDFB136596
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1321122_2_00007FFDFB132112
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1351D72_2_00007FFDFB1351D7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1326712_2_00007FFDFB132671
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB25EE802_2_00007FFDFB25EE80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14EF002_2_00007FFDFB14EF00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1360DC2_2_00007FFDFB1360DC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1334AE2_2_00007FFDFB1334AE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB26EDB02_2_00007FFDFB26EDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131BC72_2_00007FFDFB131BC7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1324AA2_2_00007FFDFB1324AA
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2124102_2_00007FFDFB212410
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1369152_2_00007FFDFB136915
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134DA42_2_00007FFDFB134DA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1330992_2_00007FFDFB133099
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132D602_2_00007FFDFB132D60
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1344212_2_00007FFDFB134421
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1319D82_2_00007FFDFB1319D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1360002_2_00007FFDFB136000
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13258B2_2_00007FFDFB13258B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2667102_2_00007FFDFB266710
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1341292_2_00007FFDFB134129
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132B2B2_2_00007FFDFB132B2B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13654B2_2_00007FFDFB13654B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134E7B2_2_00007FFDFB134E7B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB136BA42_2_00007FFDFB136BA4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132E0A2_2_00007FFDFB132E0A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134B9C2_2_00007FFDFB134B9C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13227A2_2_00007FFDFB13227A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB269AF02_2_00007FFDFB269AF0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13488B2_2_00007FFDFB13488B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1335DA2_2_00007FFDFB1335DA
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13375B2_2_00007FFDFB13375B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132F2C2_2_00007FFDFB132F2C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1323422_2_00007FFDFB132342
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1324282_2_00007FFDFB132428
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1336D42_2_00007FFDFB1336D4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1337E72_2_00007FFDFB1337E7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB265F002_2_00007FFDFB265F00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1351D22_2_00007FFDFB1351D2
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13591B2_2_00007FFDFB13591B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1362302_2_00007FFDFB136230
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2E1E402_2_00007FFDFB2E1E40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132A902_2_00007FFDFB132A90
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14D2602_2_00007FFDFB14D260
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1371C12_2_00007FFDFB1371C1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131C212_2_00007FFDFB131C21
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1345BB2_2_00007FFDFB1345BB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1330942_2_00007FFDFB133094
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2613202_2_00007FFDFB261320
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1552002_2_00007FFDFB155200
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131AEB2_2_00007FFDFB131AEB
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1349992_2_00007FFDFB134999
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13731A2_2_00007FFDFB13731A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133BF72_2_00007FFDFB133BF7
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2E16902_2_00007FFDFB2E1690
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1327612_2_00007FFDFB132761
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1311CC2_2_00007FFDFB1311CC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132E322_2_00007FFDFB132E32
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1318392_2_00007FFDFB131839
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB135BBE2_2_00007FFDFB135BBE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133EE02_2_00007FFDFB133EE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1324A52_2_00007FFDFB1324A5
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133E1D2_2_00007FFDFB133E1D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13651E2_2_00007FFDFB13651E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1332062_2_00007FFDFB133206
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1362DA2_2_00007FFDFB1362DA
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2CC9902_2_00007FFDFB2CC990
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB136E7E2_2_00007FFDFB136E7E
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB133DC82_2_00007FFDFB133DC8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1364152_2_00007FFDFB136415
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB264A402_2_00007FFDFB264A40
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB135CF42_2_00007FFDFB135CF4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134DEA2_2_00007FFDFB134DEA
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1350152_2_00007FFDFB135015
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1329322_2_00007FFDFB132932
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1358802_2_00007FFDFB135880
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1345202_2_00007FFDFB134520
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB135FEC2_2_00007FFDFB135FEC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1337382_2_00007FFDFB133738
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13400C2_2_00007FFDFB13400C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1329872_2_00007FFDFB132987
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1310412_2_00007FFDFB131041
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB131E792_2_00007FFDFB131E79
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB264D502_2_00007FFDFB264D50
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1360872_2_00007FFDFB136087
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13111D2_2_00007FFDFB13111D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1338052_2_00007FFDFB133805
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1370362_2_00007FFDFB137036
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1E02602_2_00007FFDFB1E0260
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1339682_2_00007FFDFB133968
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13571D2_2_00007FFDFB13571D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB2701702_2_00007FFDFB270170
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132BF32_2_00007FFDFB132BF3
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1371B22_2_00007FFDFB1371B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB13627B2_2_00007FFDFB13627B
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1366C22_2_00007FFDFB1366C2
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132C522_2_00007FFDFB132C52
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1331342_2_00007FFDFB133134
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1317E42_2_00007FFDFB1317E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132EAF2_2_00007FFDFB132EAF
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1373382_2_00007FFDFB137338
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB132ABD2_2_00007FFDFB132ABD
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14C6202_2_00007FFDFB14C620
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB14C4802_2_00007FFDFB14C480
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1312EE2_2_00007FFDFB1312EE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1E6F2_2_00007FFE004C1E6F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C13572_2_00007FFE004C1357
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C24782_2_00007FFE004C2478
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F26202_2_00007FFE004F2620
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D29102_2_00007FFE004D2910
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004F89D02_2_00007FFE004F89D0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C191F2_2_00007FFE004C191F
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C6D002_2_00007FFE004C6D00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C12B22_2_00007FFE004C12B2
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0052CDB42_2_00007FFE0052CDB4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE0051EF802_2_00007FFE0051EF80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1BB32_2_00007FFE004C1BB3
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DEFC02_2_00007FFE004DEFC0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1E6A2_2_00007FFE004C1E6A
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CB4F02_2_00007FFE004CB4F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004D55402_2_00007FFE004D5540
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C12E42_2_00007FFE004C12E4
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CF6952_2_00007FFE004CF695
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C24B92_2_00007FFE004C24B9
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C23DD2_2_00007FFE004C23DD
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1BF92_2_00007FFE004C1BF9
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004CFDB02_2_00007FFE004CFDB0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C15C82_2_00007FFE004C15C8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C210D2_2_00007FFE004C210D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE102572102_2_00007FFE10257210
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE102463502_2_00007FFE10246350
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE102343F02_2_00007FFE102343F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE1023EBE02_2_00007FFE1023EBE0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE102466102_2_00007FFE10246610
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE10241F112_2_00007FFE10241F11
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFE0052BE25 appears 103 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FF611791DB0 appears 36 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB131055 appears 1557 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB134688 appears 138 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FF611791DF0 appears 110 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB131FC3 appears 55 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB135DDA appears 737 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFE0052BD8F appears 195 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFE004C1023 appears 578 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB13206D appears 82 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB131FFF appears 31 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB131C08 appears 121 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB1341F6 appears 47 times
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: String function: 00007FFDFB1340F7 appears 384 times
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ha vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython38.dll. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exeBinary or memory string: OriginalFilename vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905337272.00007FFE1031C000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905655183.00007FFE126DC000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905869845.00007FFE12E1A000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905442920.00007FFE11EC4000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905546571.00007FFE11EE3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905761700.00007FFE126F3000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905965685.00007FFE130C6000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibsslH vs Eclf71HXa1.exe
Source: Eclf71HXa1.exe, 00000002.00000002.2904817443.00007FFDFB87F000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython38.dll. vs Eclf71HXa1.exe
Source: classification engineClassification label: mal60.evad.winEXE@453/15@0/1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF611791ED0 GetLastError,FormatMessageW,0_2_00007FF611791ED0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802Jump to behavior
Source: Eclf71HXa1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v2.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ape_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "full_rdp_modul_v1.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wrm_modul_v4.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rdp_modul_v3.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "nl.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WerFault.exe")
Source: C:\Users\user\Desktop\Eclf71HXa1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Eclf71HXa1.exeReversingLabs: Detection: 13%
Source: Eclf71HXa1.exeVirustotal: Detection: 28%
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile read: C:\Users\user\Desktop\Eclf71HXa1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: libffi-7.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: libssl-1_1.dllJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
Source: Eclf71HXa1.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Eclf71HXa1.exeStatic file information: File size 5424070 > 1048576
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Eclf71HXa1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Eclf71HXa1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905401585.00007FFE11EBE000.00000002.00000001.01000000.0000000A.sdmp, _bz2.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdbGCTL source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905252984.00007FFE1030D000.00000002.00000001.01000000.0000000E.sdmp, _ssl.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905507486.00007FFE11ED9000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905828042.00007FFE12E15000.00000002.00000001.01000000.0000000C.sdmp, _hashlib.pyd.0.dr
Source: Binary string: C:\A\6\b\libssl-1_1.pdb?? source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source: Binary string: .PdB] source: Eclf71HXa1.exe
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: Eclf71HXa1.exe, 00000002.00000002.2904573844.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905927859.00007FFE130C3000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Eclf71HXa1.exe, 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmp, libcrypto-1_1.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: Eclf71HXa1.exe, 00000002.00000002.2905609905.00007FFE126D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp, _lzma.pyd.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC528000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source: Binary string: vcruntime140.amd64.pdb source: Eclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905720824.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source: Eclf71HXa1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Eclf71HXa1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Eclf71HXa1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Eclf71HXa1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Eclf71HXa1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DCD2C push rbp; retf 0001h2_2_00007FFE004DCD2D
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004DCD28 pushfq ; retf 0001h2_2_00007FFE004DCD29
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE00505561 push rcx; ret 2_2_00007FFE00505562
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004E3C39 push 28C48348h; ret 2_2_00007FFE004E3C47
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dllJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dllJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117942E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF6117942E0
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1363AC rdtsc 2_2_00007FFDFB1363AC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dllJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-18638
Source: C:\Users\user\Desktop\Eclf71HXa1.exeAPI coverage: 0.6 %
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117976F0 FindFirstFileExW,FindClose,0_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117976F0 FindFirstFileExW,FindClose,2_2_00007FF6117976F0
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF611796B80 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,2_2_00007FF611796B80
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117B1674 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6117B1674
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134462 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,2_2_00007FFDFB134462
Source: Eclf71HXa1.exe, 00000002.00000003.1670073391.000002492CE9C000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1363AC2_2_00007FFDFB1363AC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1364EC2_2_00007FFDFB1364EC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB1363AC rdtsc 2_2_00007FFDFB1363AC
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B3280 GetProcessHeap,0_2_00007FF6117B3280
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF61179AD00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF61179B59C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179B740 SetUnhandledExceptionFilter,0_2_00007FF61179B740
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF6117AA1D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6117AA1D8
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179AD00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF61179AD00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179B59C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF61179B59C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FF61179B740 SetUnhandledExceptionFilter,2_2_00007FF61179B740
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB134FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFDFB134FDE
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE004C1D66 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFE004C1D66
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE1023411C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FFE1023411C
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE10234304 SetUnhandledExceptionFilter,2_2_00007FFE10234304
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFE102336D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FFE102336D8

HIPS / PFW / Operating System Protection Evasion

barindex
Excessive usage of taskkill to terminate processes
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Users\user\Desktop\Eclf71HXa1.exe "C:\Users\user\Desktop\Eclf71HXa1.exe"Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v2.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v3.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im ape_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im full_rdp_modul_v1.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im rdp.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im wrm_modul_v4.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im nl.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im WerFault.exe
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B9650 cpuid 0_2_00007FF6117B9650
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeQueries volume information: C:\Users\user\Desktop\Eclf71HXa1.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF61179B480 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF61179B480
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 0_2_00007FF6117B5B00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF6117B5B00
Source: C:\Users\user\Desktop\Eclf71HXa1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\Eclf71HXa1.exeCode function: 2_2_00007FFDFB135DA3 bind,WSAGetLastError,2_2_00007FFDFB135DA3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Disable or Modify Tools		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory51
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets44
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466585 Sample: Eclf71HXa1.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 60 51 Multi AV Scanner detection for submitted file 2->51 53 AI detected suspicious sample 2->53 8 Eclf71HXa1.exe 16 2->8         started        process3 file4 41 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 8->41 dropped 43 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 8->43 dropped 45 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 8->45 dropped 47 10 other files (none is malicious) 8->47 dropped 57 Potentially malicious time measurement code found 8->57 12 Eclf71HXa1.exe 1 8->12         started        16 conhost.exe 8->16         started        signatures5 process6 dnsIp7 49 77.221.149.185, 49730, 49731, 49738 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 12->49 59 Excessive usage of taskkill to terminate processes 12->59 18 cmd.exe 1 12->18         started        21 cmd.exe 1 12->21         started        23 cmd.exe 1 12->23         started        25 118 other processes 12->25 signatures8 process9 signatures10 55 Excessive usage of taskkill to terminate processes 18->55 27 taskkill.exe 1 18->27         started        29 taskkill.exe 1 21->29         started        31 taskkill.exe 1 23->31         started        33 taskkill.exe 1 25->33         started        35 taskkill.exe 1 25->35         started        37 taskkill.exe 1 25->37         started        39 115 other processes 25->39 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Eclf71HXa1.exe13%ReversingLabsWin64.Trojan.Generic
Eclf71HXa1.exe29%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
http://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
https://mahler:8092/site-updates.py0%Avira URL Cloudsafe
http://www.python.org/0%Avira URL Cloudsafe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%Avira URL Cloudsafe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
https://www.openssl.org/H0%Avira URL Cloudsafe
http://crl.mic0%Avira URL Cloudsafe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%VirustotalBrowse
http://python.org/dev/peps/pep-0263/0%VirustotalBrowse
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%VirustotalBrowse
http://greenbytes.de/tech/tc2231/0%Avira URL Cloudsafe
http://pypi.python.org/pypi/wget/0%Avira URL Cloudsafe
https://www.openssl.org/H0%VirustotalBrowse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%VirustotalBrowse
http://bitbucket.org/techtonik/python-wget/0%Avira URL Cloudsafe
http://www.python.org/dev/peps/pep-0205/0%Avira URL Cloudsafe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%Avira URL Cloudsafe
http://greenbytes.de/tech/tc2231/0%VirustotalBrowse
http://bitbucket.org/techtonik/python-pager0%Avira URL Cloudsafe
http://bitbucket.org/techtonik/python-wget/0%VirustotalBrowse
http://www.python.org/download/releases/2.3/mro/.0%Avira URL Cloudsafe
http://www.python.org/1%VirustotalBrowse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
http://pypi.python.org/pypi/wget/0%VirustotalBrowse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%VirustotalBrowse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%VirustotalBrowse
http://www.python.org/download/releases/2.3/mro/.0%VirustotalBrowse
http://bitbucket.org/techtonik/python-pager0%VirustotalBrowse
http://www.python.org/dev/peps/pep-0205/0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688Eclf71HXa1.exe, 00000002.00000002.2902566713.000002492EB90000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://python.org/dev/peps/pep-0263/python38.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://mahler:8092/site-updates.pyEclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drfalse
  • URL Reputation: safe
unknown
http://ocsp.thawte.com0Eclf71HXa1.exe, 00000000.00000003.1661200999.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1662375655.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665595083.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1660946935.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661067775.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1663088632.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661545370.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1665777608.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661656041.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1661383070.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000000.00000003.1664480064.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.python.org/Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EFF1000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670602074.000002492EFF8000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000003.1670552249.000002492CEA4000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerEclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.openssl.org/HEclf71HXa1.exe, 00000000.00000003.1663842867.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmp, Eclf71HXa1.exe, 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://crl.micEclf71HXa1.exe, 00000000.00000003.1660731462.000001E0EC51E000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://greenbytes.de/tech/tc2231/Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://pypi.python.org/pypi/wget/Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://bitbucket.org/techtonik/python-wget/Eclf71HXa1.exe, 00000002.00000002.2902902539.000002492EF50000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.python.org/dev/peps/pep-0205/Eclf71HXa1.exe, 00000000.00000003.1661863248.000001E0EC51F000.00000004.00000020.00020000.00000000.sdmp, Eclf71HXa1.exe, 00000002.00000002.2903203946.000002492F120000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#Eclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyEclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://bitbucket.org/techtonik/python-pagerEclf71HXa1.exe, 00000002.00000002.2903163468.000002492F0E0000.00000004.00001000.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://www.python.org/download/releases/2.3/mro/.Eclf71HXa1.exe, 00000002.00000002.2903096268.000002492F0A0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syEclf71HXa1.exe, 00000002.00000002.2902137397.000002492CE8A000.00000004.00000020.00020000.00000000.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
77.221.149.185
unknownRussian Federation
30968INFOBOX-ASInfoboxruAutonomousSystemRUfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1466585
Start date and time:2024-07-03 07:14:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 8m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:247
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Eclf71HXa1.exe
renamed because original name is a hash value
Original Sample Name:9f478308a636906db8c36e77ce68b4c2.exe
Detection:MAL
Classification:mal60.evad.winEXE@453/15@0/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 93.184.221.240, 13.95.31.18, 20.242.39.171
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

TimeTypeDescription
01:15:24API Interceptor1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
77.221.149.185file.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
  • 77.221.149.185/clients/mig.exe

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
INFOBOX-ASInfoboxruAutonomousSystemRUfile.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
  • 77.221.149.185
file.exeGet hashmaliciousPureLog StealerBrowse
  • 77.221.140.76
file.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
  • 77.221.140.76
file.exeGet hashmaliciousPureLog StealerBrowse
  • 77.221.140.76
SecuriteInfo.com.Win64.MalwareX-gen.13147.14133.exeGet hashmaliciousUnknownBrowse
  • 77.221.159.5
SecuriteInfo.com.Win64.MalwareX-gen.13147.14133.exeGet hashmaliciousUnknownBrowse
  • 77.221.159.5
SecuriteInfo.com.W32.MSIL_Kryptik.KHA.gen.Eldorado.9663.18711.exeGet hashmaliciousPureLog StealerBrowse
  • 77.221.140.76
file.exeGet hashmaliciousPureLog StealerBrowse
  • 77.221.140.76
file.exeGet hashmaliciousPureLog StealerBrowse
  • 77.221.140.76
SJsixjA7G2.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
  • 109.120.177.48

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pydfile.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
    NXyJTepLSo.exeGet hashmaliciousAsyncRAT, BazaLoaderBrowse
      mFgIWyjDLH.exeGet hashmaliciousNjratBrowse
        mFgIWyjDLH.exeGet hashmaliciousUnknownBrowse
          20230922-053628-958800.exeGet hashmaliciousUnknownBrowse
            2Y7Sqf0jrr.exeGet hashmaliciousUnknownBrowse
              SWS8NbS1Oq.exeGet hashmaliciousUnknownBrowse
                16oGIeQcym.exeGet hashmaliciousUnknownBrowse
                  zwhbirnqFU.exeGet hashmaliciousUnknownBrowse
                    gnb_logs.exeGet hashmaliciousUnknownBrowse
                      C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dllfile.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
                        Ferramenta-de-licitacion-SILEX-v3.0.3.exeGet hashmaliciousUnknownBrowse
                          CK_Office.exeGet hashmaliciousCobaltStrikeBrowse
                            Installer.msiGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.Trojan.MulDrop26.47172.19490.20786.exeGet hashmaliciousUnknownBrowse
                                spyOhcYiT0.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                  NXyJTepLSo.exeGet hashmaliciousAsyncRAT, BazaLoaderBrowse
                                    LaZagne.exeGet hashmaliciousLaZagne, MimikatzBrowse
                                      mFgIWyjDLH.exeGet hashmaliciousNjratBrowse
                                        mFgIWyjDLH.exeGet hashmaliciousUnknownBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\VCRUNTIME140.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):89752
                                          Entropy (8bit):6.5021374229557996
                                          Encrypted:false
                                          SSDEEP:1536:EFmmAQ77IPzHql9a2k+2v866Xc/0i+N1WtYil42TZiCvecbtjawN+o/J:EQmI+NnXertP42xvecbtjd+ox
                                          MD5:0E675D4A7A5B7CCD69013386793F68EB
                                          SHA1:6E5821DDD8FEA6681BDA4448816F39984A33596B
                                          SHA-256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
                                          SHA-512:CAE69A90F92936FEBDE67DACD6CE77647CB3B3ED82BB66463CD9047E90723F633AA2FC365489DE09FECDC510BE15808C183B12E6236B0893AF19633F6A670E66
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Joe Sandbox View:
                                          • Filename: file.exe, Detection: malicious, Browse
                                          • Filename: Ferramenta-de-licitacion-SILEX-v3.0.3.exe, Detection: malicious, Browse
                                          • Filename: CK_Office.exe, Detection: malicious, Browse
                                          • Filename: Installer.msi, Detection: malicious, Browse
                                          • Filename: SecuriteInfo.com.Trojan.MulDrop26.47172.19490.20786.exe, Detection: malicious, Browse
                                          • Filename: spyOhcYiT0.exe, Detection: malicious, Browse
                                          • Filename: NXyJTepLSo.exe, Detection: malicious, Browse
                                          • Filename: LaZagne.exe, Detection: malicious, Browse
                                          • Filename: mFgIWyjDLH.exe, Detection: malicious, Browse
                                          • Filename: mFgIWyjDLH.exe, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.D.x.D.x.D..AD.x.D..=D.x.D.x.D.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx.QD.x.Dx..E.x.DRich.x.D........PE..d....}.Y.........." .........T...............................................`.......Y....`A........................................p...4............@.......0..(.... ...>...P..p.......8...........................@................................................text...$........................... ..`.rdata...6.......8..................@..@.data...0.... ......................@....pdata..(....0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\_bz2.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):84040
                                          Entropy (8bit):6.41469022264903
                                          Encrypted:false
                                          SSDEEP:1536:SSpo7/9ZwseNsUQJ8rbXis0WwOpcAE+8aoBnuRtApxbBVZIG4VJyI:SSW7lZws+bLwOpvEZa+uRWVVZIG4VF
                                          MD5:3DC8AF67E6EE06AF9EEC52FE985A7633
                                          SHA1:1451B8C598348A0C0E50AFC0EC91513C46FE3AF6
                                          SHA-256:C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
                                          SHA-512:DA16BFBC66C8ABC078278D4D3CE1595A54C9EF43AE8837CEB35AE2F4757B930FE55E258827036EBA8218315C10AF5928E30CB22C60FF69159C8FE76327280087
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Joe Sandbox View:
                                          • Filename: file.exe, Detection: malicious, Browse
                                          • Filename: NXyJTepLSo.exe, Detection: malicious, Browse
                                          • Filename: mFgIWyjDLH.exe, Detection: malicious, Browse
                                          • Filename: mFgIWyjDLH.exe, Detection: malicious, Browse
                                          • Filename: 20230922-053628-958800.exe, Detection: malicious, Browse
                                          • Filename: 2Y7Sqf0jrr.exe, Detection: malicious, Browse
                                          • Filename: SWS8NbS1Oq.exe, Detection: malicious, Browse
                                          • Filename: 16oGIeQcym.exe, Detection: malicious, Browse
                                          • Filename: zwhbirnqFU.exe, Detection: malicious, Browse
                                          • Filename: gnb_logs.exe, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.1.).b.).b.).b.Qib.).b.A.c.).bM.=b.).b.A.c.).b.A.c.).b.A.c.).bD@.c.).b.O.c.).b.).b.).bD@.c.).bD@.c.).bD@.b.).bD@.c.).bRich.).b................PE..d.....].........." .........f......t........................................p.......a....`.............................................H............P.......@..(.......H....`......p...T...............................................8............................text...>........................... ..`.rdata..~A.......B..................@..@.data........0......................@....pdata..(....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\_ctypes.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):123464
                                          Entropy (8bit):5.886703955852103
                                          Encrypted:false
                                          SSDEEP:3072:qpG85kJGmH3c+5M333KvUPzeENGLf3Tz4ccUZw1IGVPE:qDSGT+5+KMPzyLf3TEcKu
                                          MD5:F1E33A8F6F91C2ED93DC5049DD50D7B8
                                          SHA1:23C583DC98AA3F6B8B108DB5D90E65D3DD72E9B4
                                          SHA-256:9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
                                          SHA-512:229896DA389D78CBDF2168753ED7FCC72D8E0E62C6607A3766D6D47842C0ABD519AC4F5D46607B15E7BA785280F9D27B482954E931645337A152B8A54467C6A5
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..4..4..4..L@..4..\..4..\..4..\..4..\..4..]..4..R..4..R..4..]..4..4.i4..]..4..]..4..],..4..]..4.Rich.4.........PE..d.....].........." .................]....................................................`..........................................`......$a..........................H...........0...T...............................................`............................text............................... ..`.rdata..0l.......n..................@..@.data....>.......:...l..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\_hashlib.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):45640
                                          Entropy (8bit):5.996546047346997
                                          Encrypted:false
                                          SSDEEP:768:8skeCps0iszzPFrGE/CBAdIPGV03ju774xxIGsIx7WDG4yw:81eCpLzDBZ+AdIPmYju7OxIGsIxWyw
                                          MD5:A6448BC5E5DA21A222DE164823ADD45C
                                          SHA1:6C26EB949D7EB97D19E42559B2E3713D7629F2F9
                                          SHA-256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
                                          SHA-512:A3833C7E1CF0E4D181AC4DE95C5DFA685CF528DC39010BF0AC82864953106213ECCFF70785021CCB05395B5CF0DCB89404394327CD7E69F820D14DFA6FBA8CBA
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..&v.uv.uv.u...ur.u$..tt.u$..t}.u$..t~.u$..tt.u...tt.u.ts.uv.u..u.tw.u.tw.u.iuw.u.tw.uRichv.u................PE..d.....].........." .....@...Z......X2...............................................7....`..........................................u..P...@v..........................H............X..T...........................`X...............P...............................text....?.......@.................. ..`.rdata..p3...P...4...D..............@..@.data...h............x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\_lzma.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):252488
                                          Entropy (8bit):6.080982550390949
                                          Encrypted:false
                                          SSDEEP:6144:bkHDwqjhhwYbOqQNEkT/4OQhJwAbHoqLNvka/gOFhUw6b4qCNxkV/3OdhAWwPbGE:bd7/IbtSKOt
                                          MD5:37057C92F50391D0751F2C1D7AD25B02
                                          SHA1:A43C6835B11621663FA251DA421BE58D143D2AFB
                                          SHA-256:9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
                                          SHA-512:953DC856AD00C3AEC6AEAB3AFA2DEB24211B5B791C184598A2573B444761DB2D4D770B8B807EBBA00EE18725FF83157EC5FA2E3591A7756EB718EBA282491C7C
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0d..^7..^7..^7..7..^7.._6..^7..[6..^7..Z6..^7..]6..^7Q._6..^7.._6..^7.._7..^7Q.S6..^7Q.^6..^7Q..7..^7Q.\6..^7Rich..^7........PE..d.....].........." .................6..............................................o*....`............................................L.......x.......................H.......$...@...T............................................... ............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\_socket.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):78920
                                          Entropy (8bit):6.061178831576516
                                          Encrypted:false
                                          SSDEEP:1536:KzMe79sDb+eGm08Vr5lcDAB9/s+7+pkaOz3CkNA9y1IGVwCyMPbi:de79u8/GFmAB9/se+pROz3jN1IGVw+Pm
                                          MD5:D6BAE4B430F349AB42553DC738699F0E
                                          SHA1:7E5EFC958E189C117ECCEF39EC16EBF00E7645A9
                                          SHA-256:587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
                                          SHA-512:A8F8FED5EA88E8177E291B708E44B763D105907E9F8C9E046C4EEBB8684A1778383D1FBA6A5FA863CA37C42FD58ED977E9BB3A6B12C5B8D9AB6EF44DE75E3D1E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..._..._..._....._...^.._...Z..._...[..._...\.._.a.^.._...^.._...^.B._.a.R..._.a._..._.a..._.a.]..._.Rich.._.................PE..d.....].........." .....x..........h........................................`.......2....`.............................................P...0........@.......0..........H....P.........T...........................@................................................text....v.......x.................. ..`.rdata...v.......x...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\_ssl.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):117832
                                          Entropy (8bit):6.052642675957794
                                          Encrypted:false
                                          SSDEEP:3072:x3xozhUCVgMUGSo5iY0nx2bsxSV3QilzQmxLZIG47HZ:p6zh72PGz0nxrmVG
                                          MD5:8EE827F2FE931163F078ACDC97107B64
                                          SHA1:149BB536F3492BC59BD7071A3DA7D1F974860641
                                          SHA-256:EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
                                          SHA-512:A6D24E72BF620EF695F08F5FFDE70EF93F42A3FA60F7C76EB0F521393C595717E05CCB7A61AE216C18FE41E95FB238D82637714CF5208EE8F1DD32AE405B5565
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0.u.0.u.0.u.9...6.u.b.t.2.u.b.p.<.u.b.q.8.u.b.v.2.u..t.6.u.U.t.7.u.0.t.C.u..x.2.u..u.1.u...1.u..w.1.u.Rich0.u.........PE..d.....].........." ................................................................K.....`..........................................S..d...4T..........................H...........`...T............................................................................text...Q........................... ..`.rdata.............................@..@.data...P4...........h..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\base_library.zip

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                          Category:dropped
                                          Size (bytes):841697
                                          Entropy (8bit):5.484581830277147
                                          Encrypted:false
                                          SSDEEP:24576:fhidp/tosQNRs54PK4IMTVw59bfCEg3TR32l:fhidp/tosQNRs54PK4IV9qw
                                          MD5:614436C7EA1EF4A93EDF3E388CA9DD65
                                          SHA1:68191FB975E9236DD9A9C5F856A5EB05E54FC082
                                          SHA-256:E728EC7DA471E7962C52BF86046F42863787F4564A08EE6666ED0C70E1A715C1
                                          SHA-512:F16437004378AECB9BD8ED81062D7AE17340EA483CDCD6259AD3279BEBD512AA2D92B012F85AFB74F34B4ECC1B45A6CE6F7FC2AA28F88D9A470BA33E50651B63
                                          Malicious:false
                                          Preview:PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.|...|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...|.r.t...t.j.j.r.d.S.t...t.j...}.|.s2t.j.d.k.r2d.}.|.S.).Nr......darwin....A

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\libcrypto-1_1.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3381792
                                          Entropy (8bit):6.094908167946797
                                          Encrypted:false
                                          SSDEEP:49152:Y4TKuk29SIU6i5fOjPWl+0rOh5PKToEGG9I+q4dNQbZQm9aGupuu9LoeiyPaRb84:YiV+CGQ4dtBMeiJRb8+1CPwDv3uFZjN
                                          MD5:BF83F8AD60CB9DB462CE62C73208A30D
                                          SHA1:F1BC7DBC1E5B00426A51878719196D78981674C4
                                          SHA-256:012866B68F458EC204B9BCE067AF8F4A488860774E7E17973C49E583B52B828D
                                          SHA-512:AE1BDDA1C174DDF4205AB19A25737FE523DCA6A9A339030CD8A95674C243D0011121067C007BE56DEF4EAEFFC40CBDADFDCBD1E61DF3404D6A3921D196DCD81E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...K...3..[...3..[...3..[...3..[...3..U...3...3..{3..qZ...3..qZ..1..qZ...3..qZf..3..qZ...3..Rich.3..................PE..d....k.].........." ......$..........r....................................... 4.......4...`..............................................f...Z3.@.....3.|.....1.......3. .....3..O..P-,.8............................-,..............P3..............................text...g.$.......$................. ..`.rdata.......0$.......$.............@..@.data...Ax....1..*....0.............@....pdata........1.......1.............@..@.idata...#...P3..$....2.............@..@.00cfg........3.......2.............@..@.rsrc...|.....3.......2.............@..@.reloc...x....3..z....3.............@..B........................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\libffi-7.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):32792
                                          Entropy (8bit):6.372276555451265
                                          Encrypted:false
                                          SSDEEP:384:JYnlpDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYPoBhT/A4:JYe0Vn5Q28J8qsqMttktuTSTWDG4yhRe
                                          MD5:4424BAF6ED5340DF85482FA82B857B03
                                          SHA1:181B641BF21C810A486F855864CD4B8967C24C44
                                          SHA-256:8C1F7F64579D01FEDFDE07E0906B1F8E607C34D5E6424C87ABE431A2322EBA79
                                          SHA-512:8ADB94893ADA555DE2E82F006AB4D571FAD8A1B16AC19CA4D2EFC1065677F25D2DE5C981473FABD0398F6328C1BE1EBD4D36668EA67F8A5D25060F1980EE7E33
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3..{]A.{]A.{]A...A.{]A..\@.{]A..\@.{]A.{\A.{]A..X@.{]A..Y@.{]A..^@.{]A..Y@.{]A..^@.{]A..]@.{]A.._@.{]ARich.{]A........................PE..d.....\.........." .....F...$.......I...................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\libssl-1_1.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):686112
                                          Entropy (8bit):5.528877787845415
                                          Encrypted:false
                                          SSDEEP:12288:3L6MSpHovlo4qL7a3ZV9CblMOoAXToRtrBZf3Fb85BO9K9pB3TLPDdOU2lvz8:wIAL7a3heSFZf2Pq63HJOU2lvz
                                          MD5:FE1F3632AF98E7B7A2799E3973BA03CF
                                          SHA1:353C7382E2DE3CCDD2A4911E9E158E7C78648496
                                          SHA-256:1CE7BA99E817C1C2D71BC88A1BDD6FCAD82AA5C3E519B91EBD56C96F22E3543B
                                          SHA-512:A0123DFE324D3EBF68A44AFAFCA7C6F33D918716F29B063C72C4A8BD2006B81FAEA6848F4F2423778D57296D7BF4F99A3638FC87B37520F0DCBEEFA3A2343DE0
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8<..YRT.YRT.YRT.!.T.YRT.1SU.YRT.?SU.YRT.1WU.YRT.1VU.YRT.1QU.YRTf0SU.YRT.YST.XRTf0VU.YRTf0RU.YRTf0.T.YRTf0PU.YRTRich.YRT................PE..d....k.].........." ..... ...D.......$...............................................2....`..............................................N...%..........s........K...^.. .......D.......8........................... ................................................text...7........ .................. ..`.rdata...#...0...$...$..............@..@.data...1M...`...D...H..............@....pdata...S.......T..................@..@.idata..rV.......X..................@..@.00cfg.......p.......8..............@..@.rsrc...s............:..............@..@.reloc..!............B..............@..B........................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\python38.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):4183112
                                          Entropy (8bit):6.420172758698049
                                          Encrypted:false
                                          SSDEEP:49152:wV6CJES/Za2BaobNruDPYRQYK8JCNNtkAz+/Q46VqNo9NYxwCFIInKHJCMjntPNj:MxB/aDUQNtufeNFIKHoMjzkDU
                                          MD5:D2A8A5E7380D5F4716016777818A32C5
                                          SHA1:FB12F31D1D0758FE3E056875461186056121ED0C
                                          SHA-256:59AB345C565304F638EFFA7C0236F26041FD06E35041A75988E13995CD28ACE9
                                          SHA-512:AD1269D1367F587809E3FBE44AF703C464A88FA3B2AE0BF2AD6544B8ED938E4265AAB7E308D999E6C8297C0C85C608E3160796325286DB3188A3EDF040A02AB7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................7[.........................................B............c...........Rich............................PE..d.....].........." .........."...............................................B.....f.@...`.........................................@I8.....X.9.|.....B.......?.P.....?.H.....B. t..p. .T............................. .................X............................text...$........................... ..`.rdata..............................@..@.data........09......"9.............@....pdata..P.....?......2=.............@..@.rsrc.........B......8?.............@..@.reloc.. t....B..v...D?.............@..B................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\select.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):26696
                                          Entropy (8bit):6.101296746249305
                                          Encrypted:false
                                          SSDEEP:768:6kYtqIDCNdwhBfAqXuqzz5H1IGqGbWDG4y4:6TnDCNCh93X7zzR1IGqG2y4
                                          MD5:6AE54D103866AAD6F58E119D27552131
                                          SHA1:BC53A92A7667FD922CE29E98DFCF5F08F798A3D2
                                          SHA-256:63B81AF5D3576473C17AC929BEA0ADD5BF8D7EA95C946CAF66CBB9AD3F233A88
                                          SHA-512:FF23F3196A10892EA22B28AE929330C8B08AB64909937609B7AF7BFB1623CD2F02A041FD9FAB24E4BC1754276BDAFD02D832C2F642C8ECDCB233F639BDF66DD0
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................)............................M................M......M......M.E....M......Rich...........PE..d.....].........." .........2......h...............................................a"....`..........................................?..L....@..x....p.......`.......N..H.......,....2..T............................3...............0...............................text...u........................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc..,............L..............@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\_MEI62802\unicodedata.pyd

                                          Download File
                                          Process:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1096264
                                          Entropy (8bit):5.343512979675051
                                          Encrypted:false
                                          SSDEEP:12288:EGe9qQOZ67191SnFRFotduNFBjCmN/XlyCAx9++bBlhJk93cgewrxEeBc0bB:EGe9GK4oYhCc/+9nbDhG2wrxc0bB
                                          MD5:4C0D43F1A31E76255CB592BB616683E7
                                          SHA1:0A9F3D77A6E064BAEBACACC780701117F09169AD
                                          SHA-256:0F84E9F0D0BF44D10527A9816FCAB495E3D797B09E7BBD1E6BD666CEB4B6C1A8
                                          SHA-512:B8176A180A441FE402E86F055AA5503356E7F49E984D70AB1060DEE4F5F17FCEC9C01F75BBFF75CE5F4EF212677A6525804BE53646CC0D7817B6ED5FD83FD778
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.0v..^%..^%..^%.f.%..^%Tv_$..^%Tv[$..^%TvZ$..^%Tv]$..^%.w_$..^%cx_$..^%.._%N.^%.wS$..^%.w^$..^%.w.%..^%.w\$..^%Rich..^%................PE..d.....].........." .....L...V.......*..............................................-.....`.........................................p...X..............................H........... )..T............................)...............`..p............................text...1J.......L.................. ..`.rdata..>-...`.......P..............@..@.data................~..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                          Download File
                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):4926
                                          Entropy (8bit):3.2433014974780257
                                          Encrypted:false
                                          SSDEEP:48:FaqdF79/0+AAHdKoqKFxcxkF3/waqdF7Swq+AAHdKoqKFxcxkFswU:cEi+AAsoJjykzESwq+AAsoJjykCwU
                                          MD5:C3BEEF83F611D6E7B7B3218DB0E34BD6
                                          SHA1:DFE8A6769A26CA961164AAFA97060A5C23BDEC4B
                                          SHA-256:C2A5A1005A41FD2A3969358A080B850CD96771FB15E376D27A010EF411006511
                                          SHA-512:A520FAAA2F9803B2A8A396F9DA87DADE4BDD662E131125DB035B7316FB4BCE56F900BFE645CEE7F7E494135E5624330211D02BC490AFB7B00C4461E0947E4693
                                          Malicious:false
                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                          Static File Info

                                          General

                                          File type:PE32+ executable (console) x86-64, for MS Windows
                                          Entropy (8bit):7.986990606449725
                                          TrID:
                                          • Win64 Executable Console (202006/5) 92.65%
                                          • Win64 Executable (generic) (12005/4) 5.51%
                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                          • DOS Executable Generic (2002/1) 0.92%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Eclf71HXa1.exe
                                          File size:5'424'070 bytes
                                          MD5:9f478308a636906db8c36e77ce68b4c2
                                          SHA1:369b818537e16c4c038ce0779bb031ba6980db9c
                                          SHA256:544095b7f34939172ea5bd6544be4c82357921f3153d17ac0e4b1b93dc363de4
                                          SHA512:4f7f165b5871cb1aab078256cfffc63758cc22729fdce66c84ef6ebe2c6015cfe644040676905d5e8b5396cdaec5cf591394618b7abe77b2e2b06df36b4ff627
                                          SSDEEP:98304:qigKs0WHiaVQWJuhswoYv5eOaVczo0Ahd6y0Naxxv8fqDDAxNer84qqfW42n:XgnrHiauWJysVYvsO5oyMxxvjDDAxRqk
                                          TLSH:75463354A7E10AE6F9B78038D9A0D802D773B0230B11E89747B44A676F17BF19F39B61
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.CU3.-.3.-.3.-.x...4.-.x.(...-.x.).9.-../..0.-../..:.-../).".-../(...-.x.,.4.-.3.,.I.-. ().*.-. (/.2.-.Rich3.-.........PE..d..

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x14000b220
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x140000000
                                          Subsystem:windows cui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x667BB541 [Wed Jun 26 06:29:21 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:2
                                          File Version Major:5
                                          File Version Minor:2
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:2
                                          Import Hash:5bc16b5845145eb0edb88983820691b1

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          call 00007F0D886F59DCh
                                          dec eax
                                          add esp, 28h
                                          jmp 00007F0D886F55EFh
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          dec eax
                                          sub esp, 28h
                                          call 00007F0D886F5D68h
                                          test eax, eax
                                          je 00007F0D886F57A3h
                                          dec eax
                                          mov eax, dword ptr [00000030h]
                                          dec eax
                                          mov ecx, dword ptr [eax+08h]
                                          jmp 00007F0D886F5787h
                                          dec eax
                                          cmp ecx, eax
                                          je 00007F0D886F5796h
                                          xor eax, eax
                                          dec eax
                                          cmpxchg dword ptr [000392DCh], ecx
                                          jne 00007F0D886F5770h
                                          xor al, al
                                          dec eax
                                          add esp, 28h
                                          ret
                                          mov al, 01h
                                          jmp 00007F0D886F5779h
                                          int3
                                          int3
                                          int3
                                          dec eax
                                          sub esp, 28h
                                          test ecx, ecx
                                          jne 00007F0D886F5789h
                                          mov byte ptr [000392C5h], 00000001h
                                          call 00007F0D886F4EC5h
                                          call 00007F0D886F6180h
                                          test al, al
                                          jne 00007F0D886F5786h
                                          xor al, al
                                          jmp 00007F0D886F5796h
                                          call 00007F0D8870446Fh
                                          test al, al
                                          jne 00007F0D886F578Bh
                                          xor ecx, ecx
                                          call 00007F0D886F6190h
                                          jmp 00007F0D886F576Ch
                                          mov al, 01h
                                          dec eax
                                          add esp, 28h
                                          ret
                                          int3
                                          int3
                                          inc eax
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          cmp byte ptr [0003928Ch], 00000000h
                                          mov ebx, ecx
                                          jne 00007F0D886F57E9h
                                          cmp ecx, 01h
                                          jnbe 00007F0D886F57ECh
                                          call 00007F0D886F5CDEh
                                          test eax, eax
                                          je 00007F0D886F57AAh
                                          test ebx, ebx
                                          jne 00007F0D886F57A6h
                                          dec eax
                                          lea ecx, dword ptr [00039276h]
                                          call 00007F0D88704262h

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3c62c0x50.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x568.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x460000x2280.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a0000x768.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x39c200x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39ae00x140.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x388.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x2a0000x2a00062fe41b4e58114ff6c80897e1c968530False0.5466657366071429data6.497507824520204IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x2b0000x122900x12400579664bdd3546d84b6784074854a7cbfFalse0.5257785744863014data5.773184461864236IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x3e0000x73d80xe004ceddbdd41b6c38e6c32765c1c3f16eaFalse0.134765625data1.8401411328226032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .pdata0x460000x22800x240063f39e3ac219728e4bd78079c5185c9dFalse0.4683159722222222data5.283330218734096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x490000x5680x600591e9684385d65ecde44d5bc28650a8eFalse0.439453125data5.519816955829078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x4a0000x7680x800943c066a6a5cfed98e0d4305f5e9ea02False0.5205078125data5.213044374951567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_MANIFEST0x490580x50dXML 1.0 document, ASCII text0.4694508894044857

                                          Imports

                                          DLLImport
                                          USER32.dllGetWindowThreadProcessId, ShowWindow
                                          KERNEL32.dllGetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, FormatMessageW, Sleep, GetCurrentProcess, GetCurrentProcessId, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, GetConsoleWindow, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, HeapReAlloc, GetLastError, WriteConsoleW, SetEndOfFile, WaitForSingleObject, LeaveCriticalSection, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetCommandLineA, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, SetEnvironmentVariableW, GetFileAttributesExW, GetStringTypeW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize
                                          ADVAPI32.dllConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 3, 2024 07:15:01.754730940 CEST497305988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:01.759555101 CEST59884973077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:01.762738943 CEST497305988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:01.762824059 CEST497305988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:01.767591000 CEST59884973077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:02.343277931 CEST59884973077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:02.344995022 CEST59884973077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:02.345109940 CEST497305988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:02.348407984 CEST497305988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:02.357820034 CEST59884973077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:14.942749023 CEST497315988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:14.947556973 CEST59884973177.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:14.947686911 CEST497315988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:14.947752953 CEST497315988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:14.954415083 CEST59884973177.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:15.525188923 CEST59884973177.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:15.525213003 CEST59884973177.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:15.525321960 CEST497315988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:15.525409937 CEST497315988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:15.530667067 CEST59884973177.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:27.739815950 CEST497385988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:27.745650053 CEST59884973877.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:27.745743036 CEST497385988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:27.745790958 CEST497385988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:27.753096104 CEST59884973877.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:28.317193985 CEST59884973877.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:28.317210913 CEST59884973877.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:28.317440987 CEST497385988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:28.317622900 CEST497385988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:28.322412014 CEST59884973877.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:41.052243948 CEST497395988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:41.057389975 CEST59884973977.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:41.057471037 CEST497395988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:41.057565928 CEST497395988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:41.062403917 CEST59884973977.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:41.642323017 CEST59884973977.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:41.642362118 CEST59884973977.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:41.642414093 CEST497395988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:41.642467022 CEST497395988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:41.647459030 CEST59884973977.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:53.943047047 CEST497405988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:53.948107004 CEST59884974077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:53.948194981 CEST497405988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:53.948256016 CEST497405988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:53.953068018 CEST59884974077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:54.546111107 CEST59884974077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:54.546216011 CEST59884974077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:15:54.546264887 CEST497405988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:54.546303034 CEST497405988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:15:54.551187992 CEST59884974077.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:07.020982981 CEST497425988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:07.025985956 CEST59884974277.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:07.026073933 CEST497425988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:07.026124954 CEST497425988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:07.030919075 CEST59884974277.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:07.594233036 CEST59884974277.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:07.594449043 CEST59884974277.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:07.594602108 CEST497425988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:07.594602108 CEST497425988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:07.599632025 CEST59884974277.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:19.786783934 CEST497435988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:19.791640043 CEST59884974377.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:19.791760921 CEST497435988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:19.797491074 CEST497435988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:19.802335978 CEST59884974377.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:20.356693029 CEST59884974377.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:20.356888056 CEST497435988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:20.357283115 CEST59884974377.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:20.357342005 CEST497435988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:20.366462946 CEST59884974377.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:32.708612919 CEST497445988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:32.716541052 CEST59884974477.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:32.716631889 CEST497445988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:32.716706991 CEST497445988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:32.724459887 CEST59884974477.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:33.289196968 CEST59884974477.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:33.289305925 CEST59884974477.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:33.289429903 CEST497445988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:33.289429903 CEST497445988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:33.294354916 CEST59884974477.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:45.646505117 CEST497455988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:45.655318975 CEST59884974577.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:45.655414104 CEST497455988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:45.655474901 CEST497455988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:45.661761045 CEST59884974577.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:46.234435081 CEST59884974577.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:46.234452009 CEST59884974577.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:46.234535933 CEST497455988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:46.234599113 CEST497455988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:46.239805937 CEST59884974577.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:58.583641052 CEST497465988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:58.588670969 CEST59884974677.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:58.588749886 CEST497465988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:58.588829994 CEST497465988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:58.593710899 CEST59884974677.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:59.183815956 CEST59884974677.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:59.184062004 CEST497465988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:59.185039997 CEST59884974677.221.149.185192.168.2.4
                                          Jul 3, 2024 07:16:59.185094118 CEST497465988192.168.2.477.221.149.185
                                          Jul 3, 2024 07:16:59.188935041 CEST59884974677.221.149.185192.168.2.4

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:01:15:00
                                          Start date:03/07/2024
                                          Path:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\Eclf71HXa1.exe"
                                          Imagebase:0x7ff611790000
                                          File size:5'424'070 bytes
                                          MD5 hash:9F478308A636906DB8C36E77CE68B4C2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:1
                                          Start time:01:15:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:2
                                          Start time:01:15:00
                                          Start date:03/07/2024
                                          Path:C:\Users\user\Desktop\Eclf71HXa1.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\Eclf71HXa1.exe"
                                          Imagebase:0x7ff611790000
                                          File size:5'424'070 bytes
                                          MD5 hash:9F478308A636906DB8C36E77CE68B4C2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:3
                                          Start time:01:15:01
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff7699e0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:01:15:02
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:23
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:01:15:03
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:25
                                          Start time:01:15:04
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:26
                                          Start time:01:15:04
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:27
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:28
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:29
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:30
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:31
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:32
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:33
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:34
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:35
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:36
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:37
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:38
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:39
                                          Start time:01:15:15
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:40
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff70f330000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:41
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:42
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:43
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:44
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:45
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:46
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:47
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:48
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:49
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:50
                                          Start time:01:15:16
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:52
                                          Start time:01:15:24
                                          Start date:03/07/2024
                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                          Imagebase:0x7ff686040000
                                          File size:468'120 bytes
                                          MD5 hash:B3676839B2EE96983F9ED735CD044159
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:53
                                          Start time:01:15:24
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:54
                                          Start time:01:15:27
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:55
                                          Start time:01:15:27
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:56
                                          Start time:01:15:27
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:57
                                          Start time:01:15:27
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:58
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:59
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:60
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:61
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:62
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:63
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:64
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:65
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:66
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:67
                                          Start time:01:15:28
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:68
                                          Start time:01:15:29
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:69
                                          Start time:01:15:29
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:70
                                          Start time:01:15:29
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:71
                                          Start time:01:15:29
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:72
                                          Start time:01:15:29
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:73
                                          Start time:01:15:29
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:74
                                          Start time:01:15:30
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:75
                                          Start time:01:15:30
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:76
                                          Start time:01:15:30
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff71e800000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:77
                                          Start time:01:15:30
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:78
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:79
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:80
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:81
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:82
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:83
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:84
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:85
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:86
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:87
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:88
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:89
                                          Start time:01:15:41
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:90
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:91
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:92
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:93
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:94
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:95
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:96
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:97
                                          Start time:01:15:42
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:98
                                          Start time:01:15:43
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:99
                                          Start time:01:15:43
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff72bec0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:100
                                          Start time:01:15:43
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:101
                                          Start time:01:15:43
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:102
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:103
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:104
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:105
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:106
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:107
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:108
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:109
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:110
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:111
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:112
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:113
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:114
                                          Start time:01:15:54
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:115
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:116
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:117
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:118
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:119
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:120
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:121
                                          Start time:01:15:55
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:122
                                          Start time:01:15:56
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:123
                                          Start time:01:15:56
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:124
                                          Start time:01:15:56
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:125
                                          Start time:01:15:56
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:126
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:127
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:128
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:129
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:130
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:131
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:132
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:133
                                          Start time:01:16:07
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:134
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:135
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:136
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:137
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:138
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:139
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:140
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:141
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:142
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:143
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:144
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:145
                                          Start time:01:16:08
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:146
                                          Start time:01:16:09
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:147
                                          Start time:01:16:09
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:148
                                          Start time:01:16:09
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:149
                                          Start time:01:16:09
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:150
                                          Start time:01:16:19
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:151
                                          Start time:01:16:19
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:152
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:153
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:154
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:155
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:156
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:157
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:158
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:159
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:160
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:161
                                          Start time:01:16:20
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:162
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:163
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:164
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:165
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:166
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:167
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:168
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:169
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:170
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:171
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:172
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:173
                                          Start time:01:16:21
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:175
                                          Start time:01:16:32
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:176
                                          Start time:01:16:32
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:177
                                          Start time:01:16:32
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:178
                                          Start time:01:16:32
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:179
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:180
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:181
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:182
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:183
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:184
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:185
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:186
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:187
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:188
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:189
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:190
                                          Start time:01:16:33
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:191
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:192
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:193
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:194
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:195
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:196
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:197
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:198
                                          Start time:01:16:34
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:199
                                          Start time:01:16:45
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:200
                                          Start time:01:16:45
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:201
                                          Start time:01:16:45
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:202
                                          Start time:01:16:45
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:203
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:204
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:205
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:206
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:207
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:208
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:209
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:210
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:211
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:212
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:213
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:214
                                          Start time:01:16:46
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:215
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:216
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:217
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:218
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:219
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:220
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:221
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:222
                                          Start time:01:16:47
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:223
                                          Start time:01:16:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:224
                                          Start time:01:16:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:225
                                          Start time:01:16:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:226
                                          Start time:01:16:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:227
                                          Start time:01:16:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:228
                                          Start time:01:16:58
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:229
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:230
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:231
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:232
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v2.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:233
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:234
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v3.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:235
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:236
                                          Start time:01:16:59
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im ape_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:237
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:238
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im full_rdp_modul_v1.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:239
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im rdp.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:240
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im rdp.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:241
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:242
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im wrm_modul_v4.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:243
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im nl.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:244
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im nl.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:245
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\cmd.exe /c taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff72df10000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:246
                                          Start time:01:17:00
                                          Start date:03/07/2024
                                          Path:C:\Windows\System32\taskkill.exe
                                          Wow64 process (32bit):false
                                          Commandline:taskkill /f /im WerFault.exe
                                          Imagebase:0x7ff6bdcd0000
                                          File size:101'376 bytes
                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:8.6%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:10.7%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:42
                                            execution_graph 17474 7ff6117a5444 17475 7ff6117a545e 17474->17475 17476 7ff6117a547b 17474->17476 17499 7ff6117ab0e8 17475->17499 17476->17475 17478 7ff6117a548e CreateFileW 17476->17478 17480 7ff6117a54c2 17478->17480 17481 7ff6117a54f8 17478->17481 17502 7ff6117a5598 GetFileType 17480->17502 17528 7ff6117a5a20 17481->17528 17482 7ff6117ab108 _get_daylight 11 API calls 17485 7ff6117a546b 17482->17485 17490 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17485->17490 17488 7ff6117a5501 17493 7ff6117ab07c _fread_nolock 11 API calls 17488->17493 17489 7ff6117a552c 17549 7ff6117a57e0 17489->17549 17495 7ff6117a5476 17490->17495 17491 7ff6117a54d7 CloseHandle 17491->17495 17492 7ff6117a54ed CloseHandle 17492->17495 17498 7ff6117a550b 17493->17498 17498->17495 17500 7ff6117aae48 _get_daylight 11 API calls 17499->17500 17501 7ff6117a5463 17500->17501 17501->17482 17503 7ff6117a56a3 17502->17503 17504 7ff6117a55e6 17502->17504 17506 7ff6117a56ab 17503->17506 17507 7ff6117a56cd 17503->17507 17505 7ff6117a5612 GetFileInformationByHandle 17504->17505 17509 7ff6117a591c 21 API calls 17504->17509 17510 7ff6117a56be GetLastError 17505->17510 17511 7ff6117a563b 17505->17511 17506->17510 17512 7ff6117a56af 17506->17512 17508 7ff6117a56f0 PeekNamedPipe 17507->17508 17526 7ff6117a568e 17507->17526 17508->17526 17513 7ff6117a5600 17509->17513 17516 7ff6117ab07c _fread_nolock 11 API calls 17510->17516 17514 7ff6117a57e0 51 API calls 17511->17514 17515 7ff6117ab108 _get_daylight 11 API calls 17512->17515 17513->17505 17513->17526 17518 7ff6117a5646 17514->17518 17515->17526 17516->17526 17517 7ff61179a9b0 _log10_special 8 API calls 17519 7ff6117a54d0 17517->17519 17566 7ff6117a5740 17518->17566 17519->17491 17519->17492 17522 7ff6117a5740 10 API calls 17523 7ff6117a5665 17522->17523 17524 7ff6117a5740 10 API calls 17523->17524 17525 7ff6117a5676 17524->17525 17525->17526 17527 7ff6117ab108 _get_daylight 11 API calls 17525->17527 17526->17517 17527->17526 17529 7ff6117a5a56 17528->17529 17530 7ff6117ab108 _get_daylight 11 API calls 17529->17530 17548 7ff6117a5aee __std_exception_copy 17529->17548 17532 7ff6117a5a68 17530->17532 17531 7ff61179a9b0 _log10_special 8 API calls 17533 7ff6117a54fd 17531->17533 17534 7ff6117ab108 _get_daylight 11 API calls 17532->17534 17533->17488 17533->17489 17535 7ff6117a5a70 17534->17535 17573 7ff6117a79bc 17535->17573 17537 7ff6117a5a85 17538 7ff6117a5a97 17537->17538 17539 7ff6117a5a8d 17537->17539 17541 7ff6117ab108 _get_daylight 11 API calls 17538->17541 17540 7ff6117ab108 _get_daylight 11 API calls 17539->17540 17545 7ff6117a5a92 17540->17545 17542 7ff6117a5a9c 17541->17542 17543 7ff6117ab108 _get_daylight 11 API calls 17542->17543 17542->17548 17544 7ff6117a5aa6 17543->17544 17546 7ff6117a79bc 45 API calls 17544->17546 17547 7ff6117a5ae0 GetDriveTypeW 17545->17547 17545->17548 17546->17545 17547->17548 17548->17531 17551 7ff6117a5808 17549->17551 17550 7ff6117a5539 17559 7ff6117a591c 17550->17559 17551->17550 17667 7ff6117af624 17551->17667 17553 7ff6117a589c 17553->17550 17554 7ff6117af624 51 API calls 17553->17554 17555 7ff6117a58af 17554->17555 17555->17550 17556 7ff6117af624 51 API calls 17555->17556 17557 7ff6117a58c2 17556->17557 17557->17550 17558 7ff6117af624 51 API calls 17557->17558 17558->17550 17560 7ff6117a5936 17559->17560 17561 7ff6117a596d 17560->17561 17562 7ff6117a5946 17560->17562 17563 7ff6117af4b8 21 API calls 17561->17563 17564 7ff6117ab07c _fread_nolock 11 API calls 17562->17564 17565 7ff6117a5956 17562->17565 17563->17565 17564->17565 17565->17498 17567 7ff6117a5769 FileTimeToSystemTime 17566->17567 17568 7ff6117a575c 17566->17568 17569 7ff6117a577d SystemTimeToTzSpecificLocalTime 17567->17569 17570 7ff6117a5764 17567->17570 17568->17567 17568->17570 17569->17570 17571 7ff61179a9b0 _log10_special 8 API calls 17570->17571 17572 7ff6117a5655 17571->17572 17572->17522 17574 7ff6117a7a46 17573->17574 17575 7ff6117a79d8 17573->17575 17610 7ff6117b05cc 17574->17610 17575->17574 17576 7ff6117a79dd 17575->17576 17578 7ff6117a7a12 17576->17578 17579 7ff6117a79f5 17576->17579 17593 7ff6117a7800 GetFullPathNameW 17578->17593 17585 7ff6117a778c GetFullPathNameW 17579->17585 17584 7ff6117a7a0a __std_exception_copy 17584->17537 17586 7ff6117a77b2 GetLastError 17585->17586 17589 7ff6117a77c8 17585->17589 17587 7ff6117ab07c _fread_nolock 11 API calls 17586->17587 17588 7ff6117a77bf 17587->17588 17590 7ff6117ab108 _get_daylight 11 API calls 17588->17590 17591 7ff6117ab108 _get_daylight 11 API calls 17589->17591 17592 7ff6117a77c4 17589->17592 17590->17592 17591->17592 17592->17584 17594 7ff6117a7833 GetLastError 17593->17594 17598 7ff6117a7849 __std_exception_copy 17593->17598 17595 7ff6117ab07c _fread_nolock 11 API calls 17594->17595 17596 7ff6117a7840 17595->17596 17597 7ff6117ab108 _get_daylight 11 API calls 17596->17597 17599 7ff6117a7845 17597->17599 17598->17599 17600 7ff6117a78a3 GetFullPathNameW 17598->17600 17601 7ff6117a78d8 17599->17601 17600->17594 17600->17599 17602 7ff6117a794c memcpy_s 17601->17602 17603 7ff6117a7901 memcpy_s 17601->17603 17602->17584 17603->17602 17604 7ff6117a7935 17603->17604 17607 7ff6117a796e 17603->17607 17605 7ff6117ab108 _get_daylight 11 API calls 17604->17605 17606 7ff6117a793a 17605->17606 17608 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17606->17608 17607->17602 17609 7ff6117ab108 _get_daylight 11 API calls 17607->17609 17608->17602 17609->17606 17613 7ff6117b03dc 17610->17613 17614 7ff6117b041e 17613->17614 17615 7ff6117b0407 17613->17615 17616 7ff6117b0422 17614->17616 17617 7ff6117b0443 17614->17617 17618 7ff6117ab108 _get_daylight 11 API calls 17615->17618 17639 7ff6117b0548 17616->17639 17651 7ff6117af4b8 17617->17651 17621 7ff6117b040c 17618->17621 17625 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17621->17625 17623 7ff6117b0448 17627 7ff6117b04ed 17623->17627 17634 7ff6117b046f 17623->17634 17624 7ff6117b042b 17626 7ff6117ab0e8 _fread_nolock 11 API calls 17624->17626 17638 7ff6117b0417 __std_exception_copy 17625->17638 17628 7ff6117b0430 17626->17628 17627->17615 17629 7ff6117b04f5 17627->17629 17631 7ff6117ab108 _get_daylight 11 API calls 17628->17631 17632 7ff6117a778c 13 API calls 17629->17632 17630 7ff61179a9b0 _log10_special 8 API calls 17633 7ff6117b053d 17630->17633 17631->17621 17632->17638 17633->17584 17635 7ff6117a7800 14 API calls 17634->17635 17636 7ff6117b04b3 17635->17636 17637 7ff6117a78d8 37 API calls 17636->17637 17636->17638 17637->17638 17638->17630 17640 7ff6117b0592 17639->17640 17641 7ff6117b0562 17639->17641 17643 7ff6117b057d 17640->17643 17644 7ff6117b059d GetDriveTypeW 17640->17644 17642 7ff6117ab0e8 _fread_nolock 11 API calls 17641->17642 17645 7ff6117b0567 17642->17645 17647 7ff61179a9b0 _log10_special 8 API calls 17643->17647 17644->17643 17646 7ff6117ab108 _get_daylight 11 API calls 17645->17646 17648 7ff6117b0572 17646->17648 17649 7ff6117b0427 17647->17649 17650 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17648->17650 17649->17623 17649->17624 17650->17643 17665 7ff6117ba5b0 17651->17665 17654 7ff6117af505 17657 7ff61179a9b0 _log10_special 8 API calls 17654->17657 17655 7ff6117af52c 17656 7ff6117aeb84 _get_daylight 11 API calls 17655->17656 17658 7ff6117af53b 17656->17658 17659 7ff6117af599 17657->17659 17660 7ff6117af554 17658->17660 17661 7ff6117af545 GetCurrentDirectoryW 17658->17661 17659->17623 17663 7ff6117ab108 _get_daylight 11 API calls 17660->17663 17661->17660 17662 7ff6117af559 17661->17662 17664 7ff6117aa0e4 __free_lconv_num 11 API calls 17662->17664 17663->17662 17664->17654 17666 7ff6117af4ee GetCurrentDirectoryW 17665->17666 17666->17654 17666->17655 17668 7ff6117af631 17667->17668 17669 7ff6117af655 17667->17669 17668->17669 17670 7ff6117af636 17668->17670 17672 7ff6117af68f 17669->17672 17674 7ff6117af6ae 17669->17674 17671 7ff6117ab108 _get_daylight 11 API calls 17670->17671 17675 7ff6117af63b 17671->17675 17673 7ff6117ab108 _get_daylight 11 API calls 17672->17673 17676 7ff6117af694 17673->17676 17677 7ff6117a4c38 45 API calls 17674->17677 17678 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17675->17678 17679 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17676->17679 17682 7ff6117af6bb 17677->17682 17680 7ff6117af646 17678->17680 17681 7ff6117af69f 17679->17681 17680->17553 17681->17553 17682->17681 17683 7ff6117b5320 51 API calls 17682->17683 17683->17682 20604 7ff6117a9950 20607 7ff6117a98c8 20604->20607 20614 7ff6117b01d8 EnterCriticalSection 20607->20614 20619 7ff6117aab50 20620 7ff6117aab55 20619->20620 20624 7ff6117aab6a 20619->20624 20625 7ff6117aab70 20620->20625 20626 7ff6117aabba 20625->20626 20627 7ff6117aabb2 20625->20627 20629 7ff6117aa0e4 __free_lconv_num 11 API calls 20626->20629 20628 7ff6117aa0e4 __free_lconv_num 11 API calls 20627->20628 20628->20626 20630 7ff6117aabc7 20629->20630 20631 7ff6117aa0e4 __free_lconv_num 11 API calls 20630->20631 20632 7ff6117aabd4 20631->20632 20633 7ff6117aa0e4 __free_lconv_num 11 API calls 20632->20633 20634 7ff6117aabe1 20633->20634 20635 7ff6117aa0e4 __free_lconv_num 11 API calls 20634->20635 20636 7ff6117aabee 20635->20636 20637 7ff6117aa0e4 __free_lconv_num 11 API calls 20636->20637 20638 7ff6117aabfb 20637->20638 20639 7ff6117aa0e4 __free_lconv_num 11 API calls 20638->20639 20640 7ff6117aac08 20639->20640 20641 7ff6117aa0e4 __free_lconv_num 11 API calls 20640->20641 20642 7ff6117aac15 20641->20642 20643 7ff6117aa0e4 __free_lconv_num 11 API calls 20642->20643 20644 7ff6117aac25 20643->20644 20645 7ff6117aa0e4 __free_lconv_num 11 API calls 20644->20645 20646 7ff6117aac35 20645->20646 20651 7ff6117aaa1c 20646->20651 20665 7ff6117b01d8 EnterCriticalSection 20651->20665 16658 7ff611799f50 16659 7ff611799f7e 16658->16659 16660 7ff611799f65 16658->16660 16660->16659 16663 7ff6117ad444 16660->16663 16664 7ff6117ad48f 16663->16664 16668 7ff6117ad453 _get_daylight 16663->16668 16673 7ff6117ab108 16664->16673 16666 7ff6117ad476 RtlAllocateHeap 16667 7ff611799fde 16666->16667 16666->16668 16668->16664 16668->16666 16670 7ff6117b3390 16668->16670 16676 7ff6117b33d0 16670->16676 16682 7ff6117aae48 GetLastError 16673->16682 16675 7ff6117ab111 16675->16667 16681 7ff6117b01d8 EnterCriticalSection 16676->16681 16683 7ff6117aae89 FlsSetValue 16682->16683 16685 7ff6117aae6c 16682->16685 16684 7ff6117aae9b 16683->16684 16696 7ff6117aae79 SetLastError 16683->16696 16699 7ff6117aeb84 16684->16699 16685->16683 16685->16696 16689 7ff6117aaec8 FlsSetValue 16692 7ff6117aaed4 FlsSetValue 16689->16692 16693 7ff6117aaee6 16689->16693 16690 7ff6117aaeb8 FlsSetValue 16691 7ff6117aaec1 16690->16691 16706 7ff6117aa0e4 16691->16706 16692->16691 16712 7ff6117aaa7c 16693->16712 16696->16675 16704 7ff6117aeb95 _get_daylight 16699->16704 16700 7ff6117aebca RtlAllocateHeap 16702 7ff6117aaeaa 16700->16702 16700->16704 16701 7ff6117aebe6 16703 7ff6117ab108 _get_daylight 10 API calls 16701->16703 16702->16689 16702->16690 16703->16702 16704->16700 16704->16701 16705 7ff6117b3390 _get_daylight 2 API calls 16704->16705 16705->16704 16707 7ff6117aa118 16706->16707 16708 7ff6117aa0e9 RtlRestoreThreadPreferredUILanguages 16706->16708 16707->16696 16708->16707 16709 7ff6117aa104 GetLastError 16708->16709 16710 7ff6117aa111 __free_lconv_num 16709->16710 16711 7ff6117ab108 _get_daylight 9 API calls 16710->16711 16711->16707 16717 7ff6117aa954 16712->16717 16729 7ff6117b01d8 EnterCriticalSection 16717->16729 16731 7ff6117b06d4 16732 7ff6117b06f8 16731->16732 16734 7ff6117b0708 16731->16734 16733 7ff6117ab108 _get_daylight 11 API calls 16732->16733 16753 7ff6117b06fd 16733->16753 16735 7ff6117b09e8 16734->16735 16736 7ff6117b072a 16734->16736 16737 7ff6117ab108 _get_daylight 11 API calls 16735->16737 16738 7ff6117b074b 16736->16738 16875 7ff6117b0d90 16736->16875 16739 7ff6117b09ed 16737->16739 16742 7ff6117b07bd 16738->16742 16744 7ff6117b0771 16738->16744 16749 7ff6117b07b1 16738->16749 16741 7ff6117aa0e4 __free_lconv_num 11 API calls 16739->16741 16741->16753 16746 7ff6117aeb84 _get_daylight 11 API calls 16742->16746 16760 7ff6117b0780 16742->16760 16743 7ff6117b086a 16752 7ff6117b0887 16743->16752 16761 7ff6117b08d9 16743->16761 16890 7ff6117a927c 16744->16890 16750 7ff6117b07d3 16746->16750 16748 7ff6117aa0e4 __free_lconv_num 11 API calls 16748->16753 16749->16743 16749->16760 16896 7ff6117b718c 16749->16896 16754 7ff6117aa0e4 __free_lconv_num 11 API calls 16750->16754 16758 7ff6117aa0e4 __free_lconv_num 11 API calls 16752->16758 16759 7ff6117b07e1 16754->16759 16755 7ff6117b0799 16755->16749 16763 7ff6117b0d90 45 API calls 16755->16763 16756 7ff6117b077b 16757 7ff6117ab108 _get_daylight 11 API calls 16756->16757 16757->16760 16762 7ff6117b0890 16758->16762 16759->16749 16759->16760 16765 7ff6117aeb84 _get_daylight 11 API calls 16759->16765 16760->16748 16761->16760 16764 7ff6117b31dc 40 API calls 16761->16764 16772 7ff6117b0895 16762->16772 16932 7ff6117b31dc 16762->16932 16763->16749 16766 7ff6117b0916 16764->16766 16767 7ff6117b0803 16765->16767 16768 7ff6117aa0e4 __free_lconv_num 11 API calls 16766->16768 16770 7ff6117aa0e4 __free_lconv_num 11 API calls 16767->16770 16771 7ff6117b0920 16768->16771 16770->16749 16771->16760 16771->16772 16773 7ff6117b09dc 16772->16773 16777 7ff6117aeb84 _get_daylight 11 API calls 16772->16777 16775 7ff6117aa0e4 __free_lconv_num 11 API calls 16773->16775 16774 7ff6117b08c1 16776 7ff6117aa0e4 __free_lconv_num 11 API calls 16774->16776 16775->16753 16776->16772 16778 7ff6117b0964 16777->16778 16779 7ff6117b0975 16778->16779 16780 7ff6117b096c 16778->16780 16862 7ff6117aa02c 16779->16862 16781 7ff6117aa0e4 __free_lconv_num 11 API calls 16780->16781 16783 7ff6117b0973 16781->16783 16787 7ff6117aa0e4 __free_lconv_num 11 API calls 16783->16787 16785 7ff6117b0a17 16871 7ff6117aa4c4 IsProcessorFeaturePresent 16785->16871 16786 7ff6117b098c 16941 7ff6117b72a4 16786->16941 16787->16753 16793 7ff6117b09d4 16796 7ff6117aa0e4 __free_lconv_num 11 API calls 16793->16796 16794 7ff6117b09b3 16797 7ff6117ab108 _get_daylight 11 API calls 16794->16797 16796->16773 16799 7ff6117b09b8 16797->16799 16802 7ff6117aa0e4 __free_lconv_num 11 API calls 16799->16802 16802->16783 16863 7ff6117aa043 16862->16863 16864 7ff6117aa039 16862->16864 16865 7ff6117ab108 _get_daylight 11 API calls 16863->16865 16864->16863 16866 7ff6117aa05e 16864->16866 16870 7ff6117aa04a 16865->16870 16867 7ff6117aa056 16866->16867 16869 7ff6117ab108 _get_daylight 11 API calls 16866->16869 16867->16785 16867->16786 16869->16870 16960 7ff6117aa4a4 16870->16960 16872 7ff6117aa4d7 16871->16872 17003 7ff6117aa1d8 16872->17003 16876 7ff6117b0dc5 16875->16876 16877 7ff6117b0dad 16875->16877 16878 7ff6117aeb84 _get_daylight 11 API calls 16876->16878 16877->16738 16885 7ff6117b0de9 16878->16885 16879 7ff6117b0e6e 17025 7ff6117aa08c 16879->17025 16880 7ff6117b0e4a 16883 7ff6117aa0e4 __free_lconv_num 11 API calls 16880->16883 16883->16877 16884 7ff6117aeb84 _get_daylight 11 API calls 16884->16885 16885->16879 16885->16880 16885->16884 16886 7ff6117aa0e4 __free_lconv_num 11 API calls 16885->16886 16887 7ff6117aa02c __std_exception_copy 37 API calls 16885->16887 16888 7ff6117b0e59 16885->16888 16886->16885 16887->16885 16889 7ff6117aa4c4 _isindst 17 API calls 16888->16889 16889->16879 16891 7ff6117a9295 16890->16891 16892 7ff6117a928c 16890->16892 16891->16755 16891->16756 16892->16891 17091 7ff6117a8d54 16892->17091 16897 7ff6117b7199 16896->16897 16898 7ff6117b633c 16896->16898 16900 7ff6117a4c38 45 API calls 16897->16900 16899 7ff6117b6349 16898->16899 16906 7ff6117b637f 16898->16906 16901 7ff6117ab108 _get_daylight 11 API calls 16899->16901 16920 7ff6117b62f0 16899->16920 16903 7ff6117b71cd 16900->16903 16905 7ff6117b6353 16901->16905 16902 7ff6117b63a9 16907 7ff6117ab108 _get_daylight 11 API calls 16902->16907 16904 7ff6117b71d2 16903->16904 16909 7ff6117b71e3 16903->16909 16913 7ff6117b71fa 16903->16913 16904->16749 16910 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 16905->16910 16906->16902 16911 7ff6117b63ce 16906->16911 16908 7ff6117b63ae 16907->16908 16912 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 16908->16912 16914 7ff6117ab108 _get_daylight 11 API calls 16909->16914 16915 7ff6117b635e 16910->16915 16917 7ff6117a4c38 45 API calls 16911->16917 16922 7ff6117b63b9 16911->16922 16912->16922 16918 7ff6117b7204 16913->16918 16919 7ff6117b7216 16913->16919 16916 7ff6117b71e8 16914->16916 16915->16749 16921 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 16916->16921 16917->16922 16923 7ff6117ab108 _get_daylight 11 API calls 16918->16923 16924 7ff6117b723e 16919->16924 16925 7ff6117b7227 16919->16925 16920->16749 16921->16904 16922->16749 16928 7ff6117b7209 16923->16928 17385 7ff6117b9034 16924->17385 17376 7ff6117b638c 16925->17376 16930 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 16928->16930 16930->16904 16931 7ff6117ab108 _get_daylight 11 API calls 16931->16904 16933 7ff6117b31fe 16932->16933 16934 7ff6117b321b 16932->16934 16933->16934 16935 7ff6117b320c 16933->16935 16939 7ff6117b3225 16934->16939 17437 7ff6117b7c98 16934->17437 16936 7ff6117ab108 _get_daylight 11 API calls 16935->16936 16940 7ff6117b3211 memcpy_s 16936->16940 17425 7ff6117b7cd4 16939->17425 16940->16774 16942 7ff6117a4c38 45 API calls 16941->16942 16943 7ff6117b730a 16942->16943 16945 7ff6117b7318 16943->16945 17444 7ff6117aee10 16943->17444 17447 7ff6117a52c8 16945->17447 16948 7ff6117b7404 16951 7ff6117b7415 16948->16951 16953 7ff6117aa0e4 __free_lconv_num 11 API calls 16948->16953 16949 7ff6117a4c38 45 API calls 16950 7ff6117b7387 16949->16950 16954 7ff6117aee10 5 API calls 16950->16954 16956 7ff6117b7390 16950->16956 16952 7ff6117b09af 16951->16952 16955 7ff6117aa0e4 __free_lconv_num 11 API calls 16951->16955 16952->16793 16952->16794 16953->16951 16954->16956 16955->16952 16957 7ff6117a52c8 14 API calls 16956->16957 16958 7ff6117b73eb 16957->16958 16958->16948 16959 7ff6117b73f3 SetEnvironmentVariableW 16958->16959 16959->16948 16963 7ff6117aa33c 16960->16963 16962 7ff6117aa4bd 16962->16867 16964 7ff6117aa367 16963->16964 16967 7ff6117aa3d8 16964->16967 16966 7ff6117aa38e 16966->16962 16977 7ff6117aa120 16967->16977 16972 7ff6117aa413 16972->16966 16973 7ff6117aa4c4 _isindst 17 API calls 16974 7ff6117aa4a3 16973->16974 16975 7ff6117aa33c _invalid_parameter_noinfo 37 API calls 16974->16975 16976 7ff6117aa4bd 16975->16976 16976->16966 16978 7ff6117aa177 16977->16978 16979 7ff6117aa13c GetLastError 16977->16979 16978->16972 16983 7ff6117aa18c 16978->16983 16980 7ff6117aa14c 16979->16980 16986 7ff6117aaf10 16980->16986 16984 7ff6117aa1c0 16983->16984 16985 7ff6117aa1a8 GetLastError SetLastError 16983->16985 16984->16972 16984->16973 16985->16984 16987 7ff6117aaf2f FlsGetValue 16986->16987 16988 7ff6117aaf4a FlsSetValue 16986->16988 16989 7ff6117aaf44 16987->16989 16991 7ff6117aa167 SetLastError 16987->16991 16990 7ff6117aaf57 16988->16990 16988->16991 16989->16988 16992 7ff6117aeb84 _get_daylight 11 API calls 16990->16992 16991->16978 16993 7ff6117aaf66 16992->16993 16994 7ff6117aaf84 FlsSetValue 16993->16994 16995 7ff6117aaf74 FlsSetValue 16993->16995 16997 7ff6117aaf90 FlsSetValue 16994->16997 16998 7ff6117aafa2 16994->16998 16996 7ff6117aaf7d 16995->16996 16999 7ff6117aa0e4 __free_lconv_num 11 API calls 16996->16999 16997->16996 17000 7ff6117aaa7c _get_daylight 11 API calls 16998->17000 16999->16991 17001 7ff6117aafaa 17000->17001 17002 7ff6117aa0e4 __free_lconv_num 11 API calls 17001->17002 17002->16991 17004 7ff6117aa212 __GetCurrentState memcpy_s 17003->17004 17005 7ff6117aa23a RtlCaptureContext RtlLookupFunctionEntry 17004->17005 17006 7ff6117aa274 RtlVirtualUnwind 17005->17006 17007 7ff6117aa2aa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17005->17007 17006->17007 17010 7ff6117aa2fc __GetCurrentState 17007->17010 17011 7ff61179a9b0 17010->17011 17012 7ff61179a9b9 17011->17012 17013 7ff61179ad40 IsProcessorFeaturePresent 17012->17013 17014 7ff61179a9c4 GetCurrentProcess TerminateProcess 17012->17014 17015 7ff61179ad58 17013->17015 17020 7ff61179af38 RtlCaptureContext 17015->17020 17021 7ff61179af52 RtlLookupFunctionEntry 17020->17021 17022 7ff61179ad6b 17021->17022 17023 7ff61179af68 RtlVirtualUnwind 17021->17023 17024 7ff61179ad00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17022->17024 17023->17021 17023->17022 17034 7ff6117b3450 17025->17034 17060 7ff6117b3408 17034->17060 17065 7ff6117b01d8 EnterCriticalSection 17060->17065 17092 7ff6117a8d69 17091->17092 17093 7ff6117a8d6d 17091->17093 17092->16891 17106 7ff6117a90a8 17092->17106 17114 7ff6117b23f0 17093->17114 17098 7ff6117a8d7f 17100 7ff6117aa0e4 __free_lconv_num 11 API calls 17098->17100 17099 7ff6117a8d8b 17140 7ff6117a8e38 17099->17140 17100->17092 17103 7ff6117aa0e4 __free_lconv_num 11 API calls 17104 7ff6117a8db2 17103->17104 17105 7ff6117aa0e4 __free_lconv_num 11 API calls 17104->17105 17105->17092 17107 7ff6117a90d1 17106->17107 17110 7ff6117a90ea 17106->17110 17107->16891 17108 7ff6117b05f4 WideCharToMultiByte 17108->17110 17109 7ff6117aeb84 _get_daylight 11 API calls 17109->17110 17110->17107 17110->17108 17110->17109 17111 7ff6117a917a 17110->17111 17113 7ff6117aa0e4 __free_lconv_num 11 API calls 17110->17113 17112 7ff6117aa0e4 __free_lconv_num 11 API calls 17111->17112 17112->17107 17113->17110 17115 7ff6117a8d72 17114->17115 17116 7ff6117b23fd 17114->17116 17120 7ff6117b272c GetEnvironmentStringsW 17115->17120 17159 7ff6117aada4 17116->17159 17121 7ff6117a8d77 17120->17121 17122 7ff6117b275c 17120->17122 17121->17098 17121->17099 17123 7ff6117b05f4 WideCharToMultiByte 17122->17123 17124 7ff6117b27ad 17123->17124 17125 7ff6117b27b4 FreeEnvironmentStringsW 17124->17125 17126 7ff6117ad444 _fread_nolock 12 API calls 17124->17126 17125->17121 17127 7ff6117b27c7 17126->17127 17128 7ff6117b27cf 17127->17128 17129 7ff6117b27d8 17127->17129 17130 7ff6117aa0e4 __free_lconv_num 11 API calls 17128->17130 17131 7ff6117b05f4 WideCharToMultiByte 17129->17131 17133 7ff6117b27d6 17130->17133 17132 7ff6117b27fb 17131->17132 17134 7ff6117b27ff 17132->17134 17135 7ff6117b2809 17132->17135 17133->17125 17136 7ff6117aa0e4 __free_lconv_num 11 API calls 17134->17136 17137 7ff6117aa0e4 __free_lconv_num 11 API calls 17135->17137 17138 7ff6117b2807 FreeEnvironmentStringsW 17136->17138 17137->17138 17138->17121 17141 7ff6117a8e5d 17140->17141 17142 7ff6117aeb84 _get_daylight 11 API calls 17141->17142 17154 7ff6117a8e93 17142->17154 17143 7ff6117a8e9b 17144 7ff6117aa0e4 __free_lconv_num 11 API calls 17143->17144 17145 7ff6117a8d93 17144->17145 17145->17103 17146 7ff6117a8f0e 17147 7ff6117aa0e4 __free_lconv_num 11 API calls 17146->17147 17147->17145 17148 7ff6117aeb84 _get_daylight 11 API calls 17148->17154 17149 7ff6117a8efd 17370 7ff6117a9064 17149->17370 17151 7ff6117aa02c __std_exception_copy 37 API calls 17151->17154 17153 7ff6117a8f33 17157 7ff6117aa4c4 _isindst 17 API calls 17153->17157 17154->17143 17154->17146 17154->17148 17154->17149 17154->17151 17154->17153 17156 7ff6117aa0e4 __free_lconv_num 11 API calls 17154->17156 17155 7ff6117aa0e4 __free_lconv_num 11 API calls 17155->17143 17156->17154 17158 7ff6117a8f46 17157->17158 17160 7ff6117aadd0 FlsSetValue 17159->17160 17161 7ff6117aadb5 FlsGetValue 17159->17161 17162 7ff6117aadc2 17160->17162 17164 7ff6117aaddd 17160->17164 17161->17162 17163 7ff6117aadca 17161->17163 17166 7ff6117aadc8 17162->17166 17167 7ff6117aa08c __GetCurrentState 45 API calls 17162->17167 17163->17160 17165 7ff6117aeb84 _get_daylight 11 API calls 17164->17165 17168 7ff6117aadec 17165->17168 17179 7ff6117b20c4 17166->17179 17169 7ff6117aae45 17167->17169 17170 7ff6117aae0a FlsSetValue 17168->17170 17171 7ff6117aadfa FlsSetValue 17168->17171 17173 7ff6117aae28 17170->17173 17174 7ff6117aae16 FlsSetValue 17170->17174 17172 7ff6117aae03 17171->17172 17175 7ff6117aa0e4 __free_lconv_num 11 API calls 17172->17175 17176 7ff6117aaa7c _get_daylight 11 API calls 17173->17176 17174->17172 17175->17162 17177 7ff6117aae30 17176->17177 17178 7ff6117aa0e4 __free_lconv_num 11 API calls 17177->17178 17178->17166 17202 7ff6117b2334 17179->17202 17181 7ff6117b20f9 17217 7ff6117b1dc4 17181->17217 17184 7ff6117ad444 _fread_nolock 12 API calls 17185 7ff6117b2127 17184->17185 17186 7ff6117b212f 17185->17186 17188 7ff6117b213e 17185->17188 17187 7ff6117aa0e4 __free_lconv_num 11 API calls 17186->17187 17201 7ff6117b2116 17187->17201 17188->17188 17224 7ff6117b246c 17188->17224 17191 7ff6117b223a 17192 7ff6117ab108 _get_daylight 11 API calls 17191->17192 17193 7ff6117b223f 17192->17193 17196 7ff6117aa0e4 __free_lconv_num 11 API calls 17193->17196 17194 7ff6117b2295 17195 7ff6117b22fc 17194->17195 17235 7ff6117b1bf4 17194->17235 17200 7ff6117aa0e4 __free_lconv_num 11 API calls 17195->17200 17196->17201 17197 7ff6117b2254 17197->17194 17198 7ff6117aa0e4 __free_lconv_num 11 API calls 17197->17198 17198->17194 17200->17201 17201->17115 17203 7ff6117b2357 17202->17203 17204 7ff6117b2361 17203->17204 17250 7ff6117b01d8 EnterCriticalSection 17203->17250 17206 7ff6117b23d3 17204->17206 17210 7ff6117aa08c __GetCurrentState 45 API calls 17204->17210 17206->17181 17211 7ff6117b23eb 17210->17211 17213 7ff6117b2442 17211->17213 17214 7ff6117aada4 50 API calls 17211->17214 17213->17181 17215 7ff6117b242c 17214->17215 17216 7ff6117b20c4 65 API calls 17215->17216 17216->17213 17251 7ff6117a4c38 17217->17251 17220 7ff6117b1de4 GetOEMCP 17223 7ff6117b1e0b 17220->17223 17221 7ff6117b1df6 17222 7ff6117b1dfb GetACP 17221->17222 17221->17223 17222->17223 17223->17184 17223->17201 17225 7ff6117b1dc4 47 API calls 17224->17225 17226 7ff6117b2499 17225->17226 17227 7ff6117b25ef 17226->17227 17229 7ff6117b24d6 IsValidCodePage 17226->17229 17234 7ff6117b24f0 memcpy_s 17226->17234 17228 7ff61179a9b0 _log10_special 8 API calls 17227->17228 17231 7ff6117b2231 17228->17231 17229->17227 17230 7ff6117b24e7 17229->17230 17232 7ff6117b2516 GetCPInfo 17230->17232 17230->17234 17231->17191 17231->17197 17232->17227 17232->17234 17283 7ff6117b1edc 17234->17283 17369 7ff6117b01d8 EnterCriticalSection 17235->17369 17252 7ff6117a4c5c 17251->17252 17253 7ff6117a4c57 17251->17253 17252->17253 17254 7ff6117aacd0 __GetCurrentState 45 API calls 17252->17254 17253->17220 17253->17221 17255 7ff6117a4c77 17254->17255 17259 7ff6117ad7cc 17255->17259 17260 7ff6117ad7e1 17259->17260 17261 7ff6117a4c9a 17259->17261 17260->17261 17267 7ff6117b3104 17260->17267 17263 7ff6117ad838 17261->17263 17264 7ff6117ad860 17263->17264 17265 7ff6117ad84d 17263->17265 17264->17253 17265->17264 17280 7ff6117b2450 17265->17280 17268 7ff6117aacd0 __GetCurrentState 45 API calls 17267->17268 17269 7ff6117b3113 17268->17269 17270 7ff6117b315e 17269->17270 17279 7ff6117b01d8 EnterCriticalSection 17269->17279 17270->17261 17281 7ff6117aacd0 __GetCurrentState 45 API calls 17280->17281 17282 7ff6117b2459 17281->17282 17284 7ff6117b1f19 GetCPInfo 17283->17284 17285 7ff6117b200f 17283->17285 17284->17285 17291 7ff6117b1f2c 17284->17291 17286 7ff61179a9b0 _log10_special 8 API calls 17285->17286 17288 7ff6117b20ae 17286->17288 17288->17227 17294 7ff6117b2c40 17291->17294 17295 7ff6117a4c38 45 API calls 17294->17295 17296 7ff6117b2c82 17295->17296 17314 7ff6117af7a0 17296->17314 17316 7ff6117af7a9 MultiByteToWideChar 17314->17316 17371 7ff6117a9069 17370->17371 17375 7ff6117a8f05 17370->17375 17372 7ff6117a9092 17371->17372 17374 7ff6117aa0e4 __free_lconv_num 11 API calls 17371->17374 17373 7ff6117aa0e4 __free_lconv_num 11 API calls 17372->17373 17373->17375 17374->17371 17375->17155 17377 7ff6117b63c0 17376->17377 17378 7ff6117b63a9 17376->17378 17377->17378 17381 7ff6117b63ce 17377->17381 17379 7ff6117ab108 _get_daylight 11 API calls 17378->17379 17380 7ff6117b63ae 17379->17380 17382 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17380->17382 17383 7ff6117b63b9 17381->17383 17384 7ff6117a4c38 45 API calls 17381->17384 17382->17383 17383->16904 17384->17383 17386 7ff6117a4c38 45 API calls 17385->17386 17387 7ff6117b9059 17386->17387 17390 7ff6117b8cb0 17387->17390 17395 7ff6117b8cfe 17390->17395 17391 7ff61179a9b0 _log10_special 8 API calls 17392 7ff6117b7265 17391->17392 17392->16904 17392->16931 17393 7ff6117b8d85 17394 7ff6117af7a0 _fread_nolock MultiByteToWideChar 17393->17394 17399 7ff6117b8d89 17393->17399 17397 7ff6117b8e1d 17394->17397 17395->17393 17396 7ff6117b8d70 GetCPInfo 17395->17396 17395->17399 17396->17393 17396->17399 17398 7ff6117ad444 _fread_nolock 12 API calls 17397->17398 17397->17399 17400 7ff6117b8e54 17397->17400 17398->17400 17399->17391 17400->17399 17401 7ff6117af7a0 _fread_nolock MultiByteToWideChar 17400->17401 17402 7ff6117b8ec2 17401->17402 17403 7ff6117b8fa4 17402->17403 17404 7ff6117af7a0 _fread_nolock MultiByteToWideChar 17402->17404 17403->17399 17405 7ff6117aa0e4 __free_lconv_num 11 API calls 17403->17405 17406 7ff6117b8ee8 17404->17406 17405->17399 17406->17403 17407 7ff6117ad444 _fread_nolock 12 API calls 17406->17407 17408 7ff6117b8f15 17406->17408 17407->17408 17408->17403 17409 7ff6117af7a0 _fread_nolock MultiByteToWideChar 17408->17409 17410 7ff6117b8f8c 17409->17410 17411 7ff6117b8f92 17410->17411 17412 7ff6117b8fac 17410->17412 17411->17403 17414 7ff6117aa0e4 __free_lconv_num 11 API calls 17411->17414 17419 7ff6117aee54 17412->17419 17414->17403 17416 7ff6117b8feb 17416->17399 17418 7ff6117aa0e4 __free_lconv_num 11 API calls 17416->17418 17417 7ff6117aa0e4 __free_lconv_num 11 API calls 17417->17416 17418->17399 17420 7ff6117aebfc __crtLCMapStringW 5 API calls 17419->17420 17421 7ff6117aee92 17420->17421 17422 7ff6117aee9a 17421->17422 17423 7ff6117af0bc __crtLCMapStringW 5 API calls 17421->17423 17422->17416 17422->17417 17424 7ff6117aef03 CompareStringW 17423->17424 17424->17422 17426 7ff6117b7cf3 17425->17426 17427 7ff6117b7ce9 17425->17427 17429 7ff6117b7cf8 17426->17429 17435 7ff6117b7cff _get_daylight 17426->17435 17428 7ff6117ad444 _fread_nolock 12 API calls 17427->17428 17434 7ff6117b7cf1 17428->17434 17430 7ff6117aa0e4 __free_lconv_num 11 API calls 17429->17430 17430->17434 17431 7ff6117b7d05 17433 7ff6117ab108 _get_daylight 11 API calls 17431->17433 17432 7ff6117b7d32 RtlReAllocateHeap 17432->17434 17432->17435 17433->17434 17434->16940 17435->17431 17435->17432 17436 7ff6117b3390 _get_daylight 2 API calls 17435->17436 17436->17435 17438 7ff6117b7ca1 17437->17438 17439 7ff6117b7cba HeapSize 17437->17439 17440 7ff6117ab108 _get_daylight 11 API calls 17438->17440 17441 7ff6117b7ca6 17440->17441 17442 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17441->17442 17443 7ff6117b7cb1 17442->17443 17443->16939 17445 7ff6117aebfc __crtLCMapStringW 5 API calls 17444->17445 17446 7ff6117aee30 17445->17446 17446->16945 17448 7ff6117a52f2 17447->17448 17449 7ff6117a5316 17447->17449 17453 7ff6117aa0e4 __free_lconv_num 11 API calls 17448->17453 17456 7ff6117a5301 17448->17456 17450 7ff6117a5370 17449->17450 17451 7ff6117a531b 17449->17451 17452 7ff6117af7a0 _fread_nolock MultiByteToWideChar 17450->17452 17454 7ff6117a5330 17451->17454 17451->17456 17457 7ff6117aa0e4 __free_lconv_num 11 API calls 17451->17457 17463 7ff6117a538c 17452->17463 17453->17456 17458 7ff6117ad444 _fread_nolock 12 API calls 17454->17458 17455 7ff6117a5393 GetLastError 17469 7ff6117ab07c 17455->17469 17456->16948 17456->16949 17457->17454 17458->17456 17460 7ff6117a53ce 17460->17456 17464 7ff6117af7a0 _fread_nolock MultiByteToWideChar 17460->17464 17462 7ff6117a53c1 17467 7ff6117ad444 _fread_nolock 12 API calls 17462->17467 17463->17455 17463->17460 17463->17462 17466 7ff6117aa0e4 __free_lconv_num 11 API calls 17463->17466 17468 7ff6117a5412 17464->17468 17465 7ff6117ab108 _get_daylight 11 API calls 17465->17456 17466->17462 17467->17460 17468->17455 17468->17456 17470 7ff6117aae48 _get_daylight 11 API calls 17469->17470 17471 7ff6117ab089 __free_lconv_num 17470->17471 17472 7ff6117aae48 _get_daylight 11 API calls 17471->17472 17473 7ff6117a53a0 17472->17473 17473->17465 20693 7ff6117bae62 20696 7ff6117a4f88 LeaveCriticalSection 20693->20696 20380 7ff6117bacdc 20381 7ff6117bacec 20380->20381 20384 7ff6117a4f88 LeaveCriticalSection 20381->20384 20774 7ff6117b126c 20792 7ff6117b01d8 EnterCriticalSection 20774->20792 20444 7ff6117baef7 20445 7ff6117baf10 20444->20445 20446 7ff6117baf06 20444->20446 20448 7ff6117b0238 LeaveCriticalSection 20446->20448 20896 7ff6117af88c 20897 7ff6117afa7e 20896->20897 20900 7ff6117af8ce _isindst 20896->20900 20898 7ff6117ab108 _get_daylight 11 API calls 20897->20898 20916 7ff6117afa6e 20898->20916 20899 7ff61179a9b0 _log10_special 8 API calls 20901 7ff6117afa99 20899->20901 20900->20897 20902 7ff6117af94e _isindst 20900->20902 20917 7ff6117b6094 20902->20917 20907 7ff6117afaaa 20909 7ff6117aa4c4 _isindst 17 API calls 20907->20909 20911 7ff6117afabe 20909->20911 20914 7ff6117af9ab 20914->20916 20941 7ff6117b60d8 20914->20941 20916->20899 20918 7ff6117b60a3 20917->20918 20922 7ff6117af96c 20917->20922 20948 7ff6117b01d8 EnterCriticalSection 20918->20948 20923 7ff6117b5498 20922->20923 20924 7ff6117b54a1 20923->20924 20925 7ff6117af981 20923->20925 20926 7ff6117ab108 _get_daylight 11 API calls 20924->20926 20925->20907 20929 7ff6117b54c8 20925->20929 20927 7ff6117b54a6 20926->20927 20928 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 20927->20928 20928->20925 20930 7ff6117b54d1 20929->20930 20934 7ff6117af992 20929->20934 20931 7ff6117ab108 _get_daylight 11 API calls 20930->20931 20932 7ff6117b54d6 20931->20932 20933 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 20932->20933 20933->20934 20934->20907 20935 7ff6117b54f8 20934->20935 20936 7ff6117b5501 20935->20936 20937 7ff6117af9a3 20935->20937 20938 7ff6117ab108 _get_daylight 11 API calls 20936->20938 20937->20907 20937->20914 20939 7ff6117b5506 20938->20939 20940 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 20939->20940 20940->20937 20949 7ff6117b01d8 EnterCriticalSection 20941->20949 20479 7ff6117a4f20 20480 7ff6117a4f2b 20479->20480 20488 7ff6117af194 20480->20488 20501 7ff6117b01d8 EnterCriticalSection 20488->20501 17684 7ff61179b09c 17705 7ff61179b27c 17684->17705 17687 7ff61179b1f3 17846 7ff61179b59c IsProcessorFeaturePresent 17687->17846 17688 7ff61179b0bd __scrt_acquire_startup_lock 17690 7ff61179b1fd 17688->17690 17696 7ff61179b0db __scrt_release_startup_lock 17688->17696 17691 7ff61179b59c 7 API calls 17690->17691 17693 7ff61179b208 __GetCurrentState 17691->17693 17692 7ff61179b100 17694 7ff61179b186 17713 7ff6117a9338 17694->17713 17696->17692 17696->17694 17835 7ff6117a96e4 17696->17835 17698 7ff61179b18b 17719 7ff611791000 17698->17719 17702 7ff61179b1af 17702->17693 17842 7ff61179b400 17702->17842 17706 7ff61179b284 17705->17706 17707 7ff61179b290 __scrt_dllmain_crt_thread_attach 17706->17707 17708 7ff61179b0b5 17707->17708 17709 7ff61179b29d 17707->17709 17708->17687 17708->17688 17853 7ff6117a9f8c 17709->17853 17714 7ff6117a9348 17713->17714 17716 7ff6117a935d 17713->17716 17714->17716 17896 7ff6117a8dc8 17714->17896 17716->17698 17720 7ff6117926b0 17719->17720 17952 7ff6117a5220 17720->17952 17722 7ff6117926eb 17959 7ff6117925a0 17722->17959 17726 7ff61179a9b0 _log10_special 8 API calls 17728 7ff611792a6e 17726->17728 17840 7ff61179b6ec GetModuleHandleW 17728->17840 17729 7ff611792836 18135 7ff6117931a0 17729->18135 17730 7ff61179272c 17732 7ff611791bd0 49 API calls 17730->17732 17773 7ff611792748 17732->17773 17734 7ff611792885 18158 7ff611791df0 GetCurrentProcessId 17734->18158 17736 7ff611792994 18164 7ff611797440 GetConsoleWindow 17736->18164 17737 7ff61179299b 17741 7ff61179299f 17737->17741 17742 7ff6117929a4 17737->17742 17739 7ff611792878 17744 7ff61179289f 17739->17744 17745 7ff61179287d 17739->17745 18169 7ff6117975b0 GetConsoleWindow 17741->18169 18021 7ff611797040 17742->18021 17743 7ff6117926f8 17743->17726 17750 7ff611791bd0 49 API calls 17744->17750 18154 7ff61179e444 17745->18154 17752 7ff6117928be 17750->17752 17751 7ff6117929b0 __std_exception_copy 17753 7ff6117929f2 17751->17753 17754 7ff611792ab3 17751->17754 17759 7ff6117918d0 114 API calls 17752->17759 17755 7ff611797040 14 API calls 17753->17755 18174 7ff6117930c0 17754->18174 17758 7ff6117929fe 17755->17758 17757 7ff611792ac1 17761 7ff611792ae0 17757->17761 17762 7ff611792ad4 17757->17762 18034 7ff6117971b0 17758->18034 17760 7ff6117928df 17759->17760 17764 7ff6117928ef 17760->17764 17760->17773 17766 7ff611791bd0 49 API calls 17761->17766 18177 7ff611793210 17762->18177 17768 7ff611791df0 81 API calls 17764->17768 17779 7ff611792a39 __std_exception_copy 17766->17779 17767 7ff611792a0d 17769 7ff611792a84 17767->17769 17772 7ff611792a17 17767->17772 17768->17743 18043 7ff611797490 17769->18043 18039 7ff611791bd0 17772->18039 17773->17736 17773->17737 17774 7ff611792b0d 17777 7ff611792b1e SetDllDirectoryW 17774->17777 17778 7ff611792a40 17774->17778 17780 7ff611792b32 17777->17780 17783 7ff611791df0 81 API calls 17778->17783 17779->17778 18093 7ff611797800 17779->18093 17782 7ff611792c95 17780->17782 18098 7ff6117957b0 17780->18098 17785 7ff611792ca0 17782->17785 17786 7ff611792ca7 17782->17786 17783->17743 17788 7ff611797440 4 API calls 17785->17788 17789 7ff611792cb0 17786->17789 17790 7ff611792cab 17786->17790 17793 7ff611792ca5 17788->17793 18223 7ff611792240 17789->18223 17794 7ff6117975b0 4 API calls 17790->17794 17792 7ff611792b59 17796 7ff611792b70 17792->17796 17797 7ff611792bb6 17792->17797 18180 7ff6117957f0 17792->18180 17793->17789 17794->17789 17810 7ff611792b74 17796->17810 18201 7ff611795b90 17796->18201 17797->17782 17802 7ff611792bcb 17797->17802 18115 7ff6117922a0 17802->18115 17806 7ff6117959d0 FreeLibrary 17809 7ff611792cd6 17806->17809 17810->17797 17811 7ff611791df0 81 API calls 17810->17811 17812 7ff611792bae 17811->17812 18217 7ff6117959d0 17812->18217 17836 7ff6117a971c 17835->17836 17837 7ff6117a96fb 17835->17837 20052 7ff6117a9fd8 17836->20052 17837->17694 17841 7ff61179b6fd 17840->17841 17841->17702 17844 7ff61179b411 17842->17844 17843 7ff61179b1c6 17843->17692 17844->17843 17845 7ff61179bcb8 7 API calls 17844->17845 17845->17843 17847 7ff61179b5c2 __GetCurrentState memcpy_s 17846->17847 17848 7ff61179b5e1 RtlCaptureContext RtlLookupFunctionEntry 17847->17848 17849 7ff61179b646 memcpy_s 17848->17849 17850 7ff61179b60a RtlVirtualUnwind 17848->17850 17851 7ff61179b678 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17849->17851 17850->17849 17852 7ff61179b6c6 __GetCurrentState 17851->17852 17852->17690 17854 7ff6117b32ac 17853->17854 17855 7ff61179b2a2 17854->17855 17863 7ff6117ac1a0 17854->17863 17855->17708 17857 7ff61179bcb8 17855->17857 17858 7ff61179bcc0 17857->17858 17859 7ff61179bcca 17857->17859 17875 7ff61179c054 17858->17875 17859->17708 17874 7ff6117b01d8 EnterCriticalSection 17863->17874 17876 7ff61179bcc5 17875->17876 17877 7ff61179c063 17875->17877 17879 7ff61179c0c0 17876->17879 17883 7ff61179c290 17877->17883 17880 7ff61179c0eb 17879->17880 17881 7ff61179c0ef 17880->17881 17882 7ff61179c0ce DeleteCriticalSection 17880->17882 17881->17859 17882->17880 17887 7ff61179c0f8 17883->17887 17888 7ff61179c1e2 TlsFree 17887->17888 17889 7ff61179c13c __vcrt_FlsAlloc 17887->17889 17889->17888 17890 7ff61179c16a LoadLibraryExW 17889->17890 17891 7ff61179c229 GetProcAddress 17889->17891 17895 7ff61179c1ad LoadLibraryExW 17889->17895 17892 7ff61179c209 17890->17892 17893 7ff61179c18b GetLastError 17890->17893 17891->17888 17892->17891 17894 7ff61179c220 FreeLibrary 17892->17894 17893->17889 17894->17891 17895->17889 17895->17892 17897 7ff6117a8de1 17896->17897 17898 7ff6117a8ddd 17896->17898 17917 7ff6117b283c GetEnvironmentStringsW 17897->17917 17898->17716 17909 7ff6117a9188 17898->17909 17901 7ff6117a8dee 17903 7ff6117aa0e4 __free_lconv_num 11 API calls 17901->17903 17902 7ff6117a8dfa 17924 7ff6117a8f48 17902->17924 17903->17898 17906 7ff6117aa0e4 __free_lconv_num 11 API calls 17907 7ff6117a8e21 17906->17907 17908 7ff6117aa0e4 __free_lconv_num 11 API calls 17907->17908 17908->17898 17910 7ff6117a91ab 17909->17910 17913 7ff6117a91c2 17909->17913 17910->17716 17911 7ff6117af7a0 MultiByteToWideChar _fread_nolock 17911->17913 17912 7ff6117aeb84 _get_daylight 11 API calls 17912->17913 17913->17910 17913->17911 17913->17912 17914 7ff6117a9236 17913->17914 17916 7ff6117aa0e4 __free_lconv_num 11 API calls 17913->17916 17915 7ff6117aa0e4 __free_lconv_num 11 API calls 17914->17915 17915->17910 17916->17913 17918 7ff6117b2860 17917->17918 17919 7ff6117a8de6 17917->17919 17920 7ff6117ad444 _fread_nolock 12 API calls 17918->17920 17919->17901 17919->17902 17921 7ff6117b2897 memcpy_s 17920->17921 17922 7ff6117aa0e4 __free_lconv_num 11 API calls 17921->17922 17923 7ff6117b28b7 FreeEnvironmentStringsW 17922->17923 17923->17919 17925 7ff6117a8f70 17924->17925 17926 7ff6117aeb84 _get_daylight 11 API calls 17925->17926 17938 7ff6117a8fab 17926->17938 17927 7ff6117a8fb3 17928 7ff6117aa0e4 __free_lconv_num 11 API calls 17927->17928 17930 7ff6117a8e02 17928->17930 17929 7ff6117a902d 17931 7ff6117aa0e4 __free_lconv_num 11 API calls 17929->17931 17930->17906 17931->17930 17932 7ff6117aeb84 _get_daylight 11 API calls 17932->17938 17933 7ff6117a901c 17935 7ff6117a9064 11 API calls 17933->17935 17936 7ff6117a9024 17935->17936 17939 7ff6117aa0e4 __free_lconv_num 11 API calls 17936->17939 17937 7ff6117a9050 17940 7ff6117aa4c4 _isindst 17 API calls 17937->17940 17938->17927 17938->17929 17938->17932 17938->17933 17938->17937 17941 7ff6117aa0e4 __free_lconv_num 11 API calls 17938->17941 17943 7ff6117b0374 17938->17943 17939->17927 17942 7ff6117a9062 17940->17942 17941->17938 17944 7ff6117b0381 17943->17944 17946 7ff6117b038b 17943->17946 17944->17946 17950 7ff6117b03a7 17944->17950 17945 7ff6117ab108 _get_daylight 11 API calls 17947 7ff6117b0393 17945->17947 17946->17945 17948 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 17947->17948 17949 7ff6117b039f 17948->17949 17949->17938 17950->17949 17951 7ff6117ab108 _get_daylight 11 API calls 17950->17951 17951->17947 17955 7ff6117af380 17952->17955 17953 7ff6117af3d3 17954 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 17953->17954 17956 7ff6117af3fc 17954->17956 17955->17953 17957 7ff6117af426 17955->17957 17956->17722 18236 7ff6117af258 17957->18236 18244 7ff61179acb0 17959->18244 17962 7ff6117925f8 18246 7ff6117976f0 FindFirstFileExW 17962->18246 17963 7ff6117925db 18251 7ff611791ed0 GetLastError 17963->18251 17967 7ff611792665 18267 7ff6117978b0 17967->18267 17968 7ff61179260b 18258 7ff611797770 CreateFileW 17968->18258 17970 7ff61179a9b0 _log10_special 8 API calls 17973 7ff61179269d 17970->17973 17972 7ff611792673 17975 7ff6117925ee 17972->17975 17978 7ff611791e50 78 API calls 17972->17978 17973->17743 17981 7ff6117918d0 17973->17981 17975->17970 17976 7ff611792634 __vcrt_FlsAlloc 17976->17967 17977 7ff61179261c 18261 7ff611791e50 17977->18261 17978->17975 17982 7ff6117931a0 108 API calls 17981->17982 17983 7ff611791905 17982->17983 17984 7ff611791b96 17983->17984 17985 7ff611796870 83 API calls 17983->17985 17986 7ff61179a9b0 _log10_special 8 API calls 17984->17986 17987 7ff61179194b 17985->17987 17988 7ff611791bb1 17986->17988 18020 7ff61179197c 17987->18020 18291 7ff61179eacc 17987->18291 17988->17729 17988->17730 17990 7ff61179e444 74 API calls 17990->17984 17991 7ff611791965 17992 7ff611791981 17991->17992 17993 7ff611791969 17991->17993 18295 7ff61179e794 17992->18295 18298 7ff611791db0 17993->18298 17997 7ff61179199f 17999 7ff611791db0 80 API calls 17997->17999 17998 7ff6117919b7 18000 7ff6117919ce 17998->18000 18001 7ff6117919e6 17998->18001 17999->18020 18002 7ff611791db0 80 API calls 18000->18002 18003 7ff611791bd0 49 API calls 18001->18003 18002->18020 18004 7ff6117919fd 18003->18004 18005 7ff611791bd0 49 API calls 18004->18005 18006 7ff611791a48 18005->18006 18007 7ff61179eacc 73 API calls 18006->18007 18008 7ff611791a6c 18007->18008 18009 7ff611791a81 18008->18009 18010 7ff611791a99 18008->18010 18011 7ff611791db0 80 API calls 18009->18011 18012 7ff61179e794 _fread_nolock 53 API calls 18010->18012 18011->18020 18013 7ff611791aae 18012->18013 18014 7ff611791ab4 18013->18014 18015 7ff611791acc 18013->18015 18016 7ff611791db0 80 API calls 18014->18016 18303 7ff61179e508 18015->18303 18016->18020 18019 7ff611791df0 81 API calls 18019->18020 18020->17990 18022 7ff61179704a 18021->18022 18023 7ff611797800 2 API calls 18022->18023 18024 7ff611797069 GetEnvironmentVariableW 18023->18024 18025 7ff6117970d2 18024->18025 18026 7ff611797086 ExpandEnvironmentStringsW 18024->18026 18028 7ff61179a9b0 _log10_special 8 API calls 18025->18028 18026->18025 18027 7ff6117970a8 18026->18027 18029 7ff6117978b0 2 API calls 18027->18029 18030 7ff6117970e4 18028->18030 18031 7ff6117970ba 18029->18031 18030->17751 18032 7ff61179a9b0 _log10_special 8 API calls 18031->18032 18033 7ff6117970ca 18032->18033 18033->17751 18035 7ff611797800 2 API calls 18034->18035 18036 7ff6117971c4 18035->18036 18619 7ff6117a7dec 18036->18619 18038 7ff6117971d6 __std_exception_copy 18038->17767 18040 7ff611791bf5 18039->18040 18041 7ff6117a4764 49 API calls 18040->18041 18042 7ff611791c18 18041->18042 18042->17779 18044 7ff6117974a5 18043->18044 18637 7ff611796d20 GetCurrentProcess OpenProcessToken 18044->18637 18047 7ff611796d20 7 API calls 18048 7ff6117974d1 18047->18048 18049 7ff611797504 18048->18049 18050 7ff6117974ea 18048->18050 18052 7ff611796e10 48 API calls 18049->18052 18647 7ff611796e10 18050->18647 18054 7ff611797517 LocalFree LocalFree 18052->18054 18055 7ff611797533 18054->18055 18057 7ff61179753f 18054->18057 18056 7ff611791e50 78 API calls 18055->18056 18056->18057 18058 7ff61179a9b0 _log10_special 8 API calls 18057->18058 18059 7ff611792a89 18058->18059 18059->17778 18060 7ff611796e70 18059->18060 18061 7ff611796e88 18060->18061 18062 7ff611796f0a GetTempPathW GetCurrentProcessId 18061->18062 18063 7ff611796eac 18061->18063 18842 7ff611797610 18062->18842 18065 7ff611797040 14 API calls 18063->18065 18066 7ff611796eb8 18065->18066 18849 7ff6117969a0 18066->18849 18075 7ff611796f38 __std_exception_copy 18079 7ff611796f75 __std_exception_copy 18075->18079 18846 7ff6117a8724 18075->18846 18078 7ff61179a9b0 _log10_special 8 API calls 18084 7ff611797800 2 API calls 18079->18084 18092 7ff611796fe4 __std_exception_copy 18079->18092 18085 7ff611796fc1 18084->18085 18092->18078 18094 7ff611797846 18093->18094 18095 7ff611797822 MultiByteToWideChar 18093->18095 18096 7ff611797863 MultiByteToWideChar 18094->18096 18097 7ff61179785c __std_exception_copy 18094->18097 18095->18094 18095->18097 18096->18097 18097->17774 18100 7ff6117957c5 18098->18100 18099 7ff611792b44 18102 7ff611795d20 18099->18102 18100->18099 18101 7ff611791db0 80 API calls 18100->18101 18101->18099 18103 7ff611795d50 18102->18103 18104 7ff611795d6a __std_exception_copy 18102->18104 18103->18104 19011 7ff611791420 18103->19011 18104->17792 18106 7ff611795d74 18106->18104 18107 7ff611793210 49 API calls 18106->18107 18108 7ff611795d96 18107->18108 18109 7ff611793210 49 API calls 18108->18109 18113 7ff611795d9b 18108->18113 18110 7ff611795dba 18109->18110 18112 7ff611793210 49 API calls 18110->18112 18110->18113 18111 7ff611791df0 81 API calls 18111->18104 18112->18113 18113->18111 18114 7ff611795e4f __std_exception_copy memcpy_s 18113->18114 18114->17792 18126 7ff6117922ae memcpy_s 18115->18126 18116 7ff61179a9b0 _log10_special 8 API calls 18118 7ff61179254e 18116->18118 18117 7ff6117924a7 18117->18116 18118->17743 18134 7ff611797420 LocalFree 18118->18134 18120 7ff611791bd0 49 API calls 18120->18126 18121 7ff6117924c9 18123 7ff611791df0 81 API calls 18121->18123 18123->18117 18125 7ff6117924a9 18129 7ff611791df0 81 API calls 18125->18129 18126->18117 18126->18120 18126->18121 18126->18125 18128 7ff611791df0 81 API calls 18126->18128 18132 7ff6117924b7 18126->18132 19072 7ff611793140 18126->19072 19078 7ff611796700 18126->19078 19090 7ff6117915a0 18126->19090 19128 7ff611795b00 18126->19128 19132 7ff611792d70 18126->19132 19176 7ff611793030 18126->19176 18128->18126 18129->18117 18133 7ff611791df0 81 API calls 18132->18133 18133->18117 18136 7ff6117931ac 18135->18136 18137 7ff611797800 2 API calls 18136->18137 18138 7ff6117931d4 18137->18138 18139 7ff611797800 2 API calls 18138->18139 18140 7ff6117931e7 18139->18140 19296 7ff6117a5db4 18140->19296 18143 7ff61179a9b0 _log10_special 8 API calls 18144 7ff611792846 18143->18144 18144->17734 18145 7ff611796870 18144->18145 18146 7ff611796894 18145->18146 18147 7ff61179eacc 73 API calls 18146->18147 18152 7ff61179696b __std_exception_copy 18146->18152 18148 7ff6117968b0 18147->18148 18148->18152 19687 7ff6117a7664 18148->19687 18150 7ff61179eacc 73 API calls 18153 7ff6117968c5 18150->18153 18151 7ff61179e794 _fread_nolock 53 API calls 18151->18153 18152->17739 18153->18150 18153->18151 18153->18152 18155 7ff61179e474 18154->18155 19702 7ff61179e220 18155->19702 18157 7ff61179e48d 18157->17734 18159 7ff611791e1a 18158->18159 18160 7ff611791d60 78 API calls 18159->18160 18161 7ff611791e2c 18160->18161 18162 7ff611791c30 80 API calls 18161->18162 18163 7ff611791e3b 18162->18163 18163->17743 18165 7ff611797454 GetCurrentProcessId GetWindowThreadProcessId 18164->18165 18167 7ff611792999 18164->18167 18166 7ff611797473 18165->18166 18165->18167 18166->18167 18168 7ff611797479 ShowWindow 18166->18168 18167->17742 18168->18167 18170 7ff6117975c4 GetCurrentProcessId GetWindowThreadProcessId 18169->18170 18171 7ff6117975f7 18169->18171 18170->18171 18172 7ff6117975e3 18170->18172 18171->17742 18172->18171 18173 7ff6117975e9 ShowWindow 18172->18173 18173->18171 18175 7ff611791bd0 49 API calls 18174->18175 18176 7ff6117930dd 18175->18176 18176->17757 18178 7ff611791bd0 49 API calls 18177->18178 18179 7ff611793240 18178->18179 18179->17779 18184 7ff61179580c 18180->18184 18181 7ff61179a9b0 _log10_special 8 API calls 18182 7ff611795941 18181->18182 18182->17796 18183 7ff6117917c0 45 API calls 18183->18184 18184->18183 18185 7ff6117959ad 18184->18185 18187 7ff611791bd0 49 API calls 18184->18187 18188 7ff61179599a 18184->18188 18189 7ff611793140 10 API calls 18184->18189 18191 7ff61179592f 18184->18191 18192 7ff61179595d 18184->18192 18193 7ff611796700 52 API calls 18184->18193 18195 7ff611791df0 81 API calls 18184->18195 18196 7ff611795987 18184->18196 18198 7ff6117915a0 115 API calls 18184->18198 18199 7ff611795970 18184->18199 18186 7ff611791df0 81 API calls 18185->18186 18186->18191 18187->18184 18190 7ff611791df0 81 API calls 18188->18190 18189->18184 18190->18191 18191->18181 18194 7ff611791df0 81 API calls 18192->18194 18193->18184 18194->18191 18195->18184 18197 7ff611791df0 81 API calls 18196->18197 18197->18191 18198->18184 18200 7ff611791df0 81 API calls 18199->18200 18200->18191 19713 7ff6117973d0 18201->19713 18203 7ff611795ba9 18204 7ff6117973d0 3 API calls 18203->18204 18205 7ff611795bbc 18204->18205 18206 7ff611795bef 18205->18206 18208 7ff611795bd4 18205->18208 18207 7ff611791df0 81 API calls 18206->18207 18210 7ff611792b85 18207->18210 19717 7ff6117960c0 GetProcAddress 18208->19717 18210->17810 18211 7ff611795ef0 18210->18211 18212 7ff611795f0d 18211->18212 18213 7ff611791df0 81 API calls 18212->18213 18216 7ff611795f74 18212->18216 18214 7ff611795f5c 18213->18214 18215 7ff6117959d0 FreeLibrary 18214->18215 18215->18216 18216->17810 18220 7ff611795a13 18217->18220 18222 7ff6117959e2 18217->18222 18218 7ff611795aca 18218->18220 19777 7ff6117973b0 FreeLibrary 18218->19777 18220->17797 18222->18218 18222->18220 19776 7ff6117973b0 FreeLibrary 18222->19776 19778 7ff611794d50 18223->19778 18227 7ff611792261 18231 7ff611792279 18227->18231 19848 7ff611794a60 18227->19848 18232 7ff611792560 18231->18232 18233 7ff61179256e 18232->18233 18234 7ff61179257f 18233->18234 20051 7ff6117973b0 FreeLibrary 18233->20051 18234->17806 18243 7ff6117a4f7c EnterCriticalSection 18236->18243 18245 7ff6117925ac GetModuleFileNameW 18244->18245 18245->17962 18245->17963 18247 7ff61179772f FindClose 18246->18247 18248 7ff611797742 18246->18248 18247->18248 18249 7ff61179a9b0 _log10_special 8 API calls 18248->18249 18250 7ff611792602 18249->18250 18250->17967 18250->17968 18252 7ff611791f0b 18251->18252 18272 7ff6117a4640 18252->18272 18254 7ff611791f29 FormatMessageW 18255 7ff611791f73 18254->18255 18279 7ff611791d60 18255->18279 18259 7ff6117977b0 GetFinalPathNameByHandleW CloseHandle 18258->18259 18260 7ff611792618 18258->18260 18259->18260 18260->17976 18260->17977 18262 7ff611791e70 18261->18262 18263 7ff611791d60 78 API calls 18262->18263 18264 7ff611791e8e 18263->18264 18265 7ff6117a4640 78 API calls 18264->18265 18266 7ff611791ec0 18265->18266 18266->17975 18268 7ff6117978da WideCharToMultiByte 18267->18268 18269 7ff611797905 18267->18269 18268->18269 18271 7ff61179791b __std_exception_copy 18268->18271 18270 7ff611797922 WideCharToMultiByte 18269->18270 18269->18271 18270->18271 18271->17972 18273 7ff6117a466a 18272->18273 18274 7ff6117a46a2 18273->18274 18276 7ff6117a46d5 18273->18276 18275 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18274->18275 18278 7ff6117a46cb 18275->18278 18283 7ff61179ef78 18276->18283 18278->18254 18280 7ff611791d86 18279->18280 18281 7ff6117a4640 78 API calls 18280->18281 18282 7ff611791d9c 18281->18282 18282->17975 18290 7ff6117a4f7c EnterCriticalSection 18283->18290 18292 7ff61179eafc 18291->18292 18309 7ff61179e85c 18292->18309 18294 7ff61179eb15 18294->17991 18321 7ff61179e7b4 18295->18321 18335 7ff611791c30 18298->18335 18304 7ff61179e511 18303->18304 18305 7ff611791ae6 18303->18305 18306 7ff6117ab108 _get_daylight 11 API calls 18304->18306 18305->18019 18305->18020 18307 7ff61179e516 18306->18307 18308 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18307->18308 18308->18305 18310 7ff61179e8c6 18309->18310 18311 7ff61179e886 18309->18311 18310->18311 18313 7ff61179e8d2 18310->18313 18312 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18311->18312 18314 7ff61179e8ad 18312->18314 18320 7ff6117a4f7c EnterCriticalSection 18313->18320 18314->18294 18322 7ff61179e7de 18321->18322 18323 7ff611791999 18321->18323 18322->18323 18324 7ff61179e82a 18322->18324 18325 7ff61179e7ed memcpy_s 18322->18325 18323->17997 18323->17998 18334 7ff6117a4f7c EnterCriticalSection 18324->18334 18327 7ff6117ab108 _get_daylight 11 API calls 18325->18327 18329 7ff61179e802 18327->18329 18331 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18329->18331 18331->18323 18336 7ff611791c40 18335->18336 18352 7ff6117a4764 18336->18352 18339 7ff611797800 2 API calls 18340 7ff611791ca0 18339->18340 18341 7ff611791cc8 18340->18341 18342 7ff611791caa 18340->18342 18370 7ff611791d10 18341->18370 18343 7ff611791d60 78 API calls 18342->18343 18345 7ff611791cc6 18343->18345 18346 7ff61179a9b0 _log10_special 8 API calls 18345->18346 18347 7ff611791cf1 18346->18347 18348 7ff6117a50d0 18347->18348 18349 7ff6117a50fb 18348->18349 18605 7ff6117a4f94 18349->18605 18353 7ff6117a47be 18352->18353 18354 7ff6117a47e3 18353->18354 18356 7ff6117a481f 18353->18356 18355 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18354->18355 18358 7ff6117a480d 18355->18358 18374 7ff6117a1658 18356->18374 18361 7ff61179a9b0 _log10_special 8 API calls 18358->18361 18359 7ff6117a48fc 18360 7ff6117aa0e4 __free_lconv_num 11 API calls 18359->18360 18360->18358 18362 7ff611791c88 18361->18362 18362->18339 18364 7ff6117a48d1 18366 7ff6117aa0e4 __free_lconv_num 11 API calls 18364->18366 18365 7ff6117a4920 18365->18359 18368 7ff6117a492a 18365->18368 18366->18358 18367 7ff6117a48c8 18367->18359 18367->18364 18369 7ff6117aa0e4 __free_lconv_num 11 API calls 18368->18369 18369->18358 18371 7ff611791d36 18370->18371 18590 7ff6117a451c 18371->18590 18373 7ff611791d4c 18373->18345 18375 7ff6117a1696 18374->18375 18376 7ff6117a1686 18374->18376 18377 7ff6117a169f 18375->18377 18382 7ff6117a16cd 18375->18382 18380 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18376->18380 18378 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18377->18378 18379 7ff6117a16c5 18378->18379 18379->18359 18379->18364 18379->18365 18379->18367 18380->18379 18382->18376 18382->18379 18384 7ff6117a197c 18382->18384 18388 7ff6117a2a28 18382->18388 18414 7ff6117a2108 18382->18414 18444 7ff6117a11a0 18382->18444 18447 7ff6117a4110 18382->18447 18386 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18384->18386 18386->18376 18389 7ff6117a2a6a 18388->18389 18390 7ff6117a2add 18388->18390 18393 7ff6117a2a70 18389->18393 18394 7ff6117a2b07 18389->18394 18391 7ff6117a2ae2 18390->18391 18392 7ff6117a2b37 18390->18392 18395 7ff6117a2ae4 18391->18395 18396 7ff6117a2b17 18391->18396 18392->18394 18397 7ff6117a2b46 18392->18397 18412 7ff6117a2aa0 18392->18412 18393->18397 18401 7ff6117a2a75 18393->18401 18471 7ff61179ffc8 18394->18471 18402 7ff6117a2af3 18395->18402 18405 7ff6117a2a85 18395->18405 18478 7ff61179fbb8 18396->18478 18413 7ff6117a2b75 18397->18413 18485 7ff6117a03d8 18397->18485 18403 7ff6117a2ab8 18401->18403 18401->18405 18401->18412 18402->18394 18406 7ff6117a2af8 18402->18406 18403->18413 18463 7ff6117a3d0c 18403->18463 18405->18413 18453 7ff6117a3850 18405->18453 18406->18413 18467 7ff6117a3ea4 18406->18467 18408 7ff61179a9b0 _log10_special 8 API calls 18410 7ff6117a2e0b 18408->18410 18410->18382 18412->18413 18492 7ff6117ae6a0 18412->18492 18413->18408 18415 7ff6117a2113 18414->18415 18416 7ff6117a2129 18414->18416 18418 7ff6117a2167 18415->18418 18419 7ff6117a2a6a 18415->18419 18420 7ff6117a2add 18415->18420 18417 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18416->18417 18416->18418 18417->18418 18418->18382 18423 7ff6117a2a70 18419->18423 18424 7ff6117a2b07 18419->18424 18421 7ff6117a2ae2 18420->18421 18422 7ff6117a2b37 18420->18422 18425 7ff6117a2ae4 18421->18425 18426 7ff6117a2b17 18421->18426 18422->18424 18433 7ff6117a2b46 18422->18433 18442 7ff6117a2aa0 18422->18442 18431 7ff6117a2a75 18423->18431 18423->18433 18428 7ff61179ffc8 38 API calls 18424->18428 18427 7ff6117a2a85 18425->18427 18435 7ff6117a2af3 18425->18435 18429 7ff61179fbb8 38 API calls 18426->18429 18430 7ff6117a3850 47 API calls 18427->18430 18443 7ff6117a2b75 18427->18443 18428->18442 18429->18442 18430->18442 18431->18427 18432 7ff6117a2ab8 18431->18432 18431->18442 18436 7ff6117a3d0c 47 API calls 18432->18436 18432->18443 18434 7ff6117a03d8 38 API calls 18433->18434 18433->18443 18434->18442 18435->18424 18437 7ff6117a2af8 18435->18437 18436->18442 18439 7ff6117a3ea4 37 API calls 18437->18439 18437->18443 18438 7ff61179a9b0 _log10_special 8 API calls 18440 7ff6117a2e0b 18438->18440 18439->18442 18440->18382 18441 7ff6117ae6a0 47 API calls 18441->18442 18442->18441 18442->18443 18443->18438 18565 7ff61179f18c 18444->18565 18448 7ff6117a4127 18447->18448 18582 7ff6117ad800 18448->18582 18454 7ff6117a3872 18453->18454 18502 7ff61179eff8 18454->18502 18459 7ff6117a4110 45 API calls 18461 7ff6117a39af 18459->18461 18460 7ff6117a4110 45 API calls 18462 7ff6117a3a38 18460->18462 18461->18460 18461->18461 18461->18462 18462->18412 18464 7ff6117a3d8c 18463->18464 18465 7ff6117a3d24 18463->18465 18464->18412 18465->18464 18466 7ff6117ae6a0 47 API calls 18465->18466 18466->18464 18469 7ff6117a3ec5 18467->18469 18468 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18470 7ff6117a3ef6 18468->18470 18469->18468 18469->18470 18470->18412 18472 7ff61179fffb 18471->18472 18473 7ff6117a002a 18472->18473 18475 7ff6117a00e7 18472->18475 18474 7ff61179eff8 12 API calls 18473->18474 18477 7ff6117a0067 18473->18477 18474->18477 18476 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18475->18476 18476->18477 18477->18412 18479 7ff61179fbeb 18478->18479 18480 7ff61179fc1a 18479->18480 18482 7ff61179fcd7 18479->18482 18481 7ff61179eff8 12 API calls 18480->18481 18484 7ff61179fc57 18480->18484 18481->18484 18483 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18482->18483 18483->18484 18484->18412 18486 7ff6117a040b 18485->18486 18487 7ff6117a043a 18486->18487 18489 7ff6117a04f7 18486->18489 18488 7ff61179eff8 12 API calls 18487->18488 18491 7ff6117a0477 18487->18491 18488->18491 18490 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18489->18490 18490->18491 18491->18412 18493 7ff6117ae6c8 18492->18493 18494 7ff6117ae70d 18493->18494 18495 7ff6117a4110 45 API calls 18493->18495 18497 7ff6117ae6f6 memcpy_s 18493->18497 18499 7ff6117ae6cd memcpy_s 18493->18499 18494->18497 18498 7ff6117b05f4 WideCharToMultiByte 18494->18498 18494->18499 18495->18494 18496 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18496->18499 18497->18496 18497->18499 18500 7ff6117ae7e9 18498->18500 18499->18412 18500->18499 18501 7ff6117ae7fe GetLastError 18500->18501 18501->18497 18501->18499 18503 7ff61179f02f 18502->18503 18504 7ff61179f01e 18502->18504 18503->18504 18505 7ff6117ad444 _fread_nolock 12 API calls 18503->18505 18510 7ff6117ae3b8 18504->18510 18506 7ff61179f05c 18505->18506 18507 7ff61179f070 18506->18507 18508 7ff6117aa0e4 __free_lconv_num 11 API calls 18506->18508 18509 7ff6117aa0e4 __free_lconv_num 11 API calls 18507->18509 18508->18507 18509->18504 18511 7ff6117ae3d5 18510->18511 18512 7ff6117ae408 18510->18512 18513 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18511->18513 18512->18511 18514 7ff6117ae43a 18512->18514 18522 7ff6117a398d 18513->18522 18519 7ff6117ae54d 18514->18519 18527 7ff6117ae482 18514->18527 18515 7ff6117ae63f 18556 7ff6117ad8a4 18515->18556 18517 7ff6117ae605 18549 7ff6117adc3c 18517->18549 18519->18515 18519->18517 18520 7ff6117ae5d4 18519->18520 18521 7ff6117ae597 18519->18521 18524 7ff6117ae58d 18519->18524 18542 7ff6117adf1c 18520->18542 18532 7ff6117ae14c 18521->18532 18522->18459 18522->18461 18524->18517 18526 7ff6117ae592 18524->18526 18526->18520 18526->18521 18527->18522 18528 7ff6117aa02c __std_exception_copy 37 API calls 18527->18528 18529 7ff6117ae53a 18528->18529 18529->18522 18530 7ff6117aa4c4 _isindst 17 API calls 18529->18530 18531 7ff6117ae69c 18530->18531 18533 7ff6117b3eac 38 API calls 18532->18533 18534 7ff6117ae199 18533->18534 18535 7ff6117b38f4 37 API calls 18534->18535 18536 7ff6117ae1f4 18535->18536 18537 7ff6117ae249 18536->18537 18539 7ff6117ae214 18536->18539 18541 7ff6117ae1f8 18536->18541 18538 7ff6117add38 45 API calls 18537->18538 18538->18541 18540 7ff6117adff4 45 API calls 18539->18540 18540->18541 18541->18522 18543 7ff6117b3eac 38 API calls 18542->18543 18544 7ff6117adf66 18543->18544 18545 7ff6117b38f4 37 API calls 18544->18545 18546 7ff6117adfb6 18545->18546 18547 7ff6117adfba 18546->18547 18548 7ff6117adff4 45 API calls 18546->18548 18547->18522 18548->18547 18550 7ff6117b3eac 38 API calls 18549->18550 18551 7ff6117adc87 18550->18551 18552 7ff6117b38f4 37 API calls 18551->18552 18553 7ff6117adcdf 18552->18553 18554 7ff6117adce3 18553->18554 18555 7ff6117add38 45 API calls 18553->18555 18554->18522 18555->18554 18557 7ff6117ad8e9 18556->18557 18558 7ff6117ad91c 18556->18558 18559 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18557->18559 18560 7ff6117ad934 18558->18560 18563 7ff6117ad9b5 18558->18563 18562 7ff6117ad915 memcpy_s 18559->18562 18561 7ff6117adc3c 46 API calls 18560->18561 18561->18562 18562->18522 18563->18562 18564 7ff6117a4110 45 API calls 18563->18564 18564->18562 18566 7ff61179f1b9 18565->18566 18567 7ff61179f1cb 18565->18567 18568 7ff6117ab108 _get_daylight 11 API calls 18566->18568 18569 7ff61179f1d8 18567->18569 18573 7ff61179f215 18567->18573 18570 7ff61179f1be 18568->18570 18572 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18569->18572 18571 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18570->18571 18577 7ff61179f1c9 18571->18577 18572->18577 18574 7ff61179f2be 18573->18574 18575 7ff6117ab108 _get_daylight 11 API calls 18573->18575 18576 7ff6117ab108 _get_daylight 11 API calls 18574->18576 18574->18577 18578 7ff61179f2b3 18575->18578 18579 7ff61179f368 18576->18579 18577->18382 18580 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18578->18580 18581 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18579->18581 18580->18574 18581->18577 18583 7ff6117a414f 18582->18583 18584 7ff6117ad819 18582->18584 18586 7ff6117ad86c 18583->18586 18584->18583 18585 7ff6117b3104 45 API calls 18584->18585 18585->18583 18587 7ff6117ad885 18586->18587 18589 7ff6117a415f 18586->18589 18588 7ff6117b2450 45 API calls 18587->18588 18587->18589 18588->18589 18589->18382 18592 7ff6117a4546 18590->18592 18591 7ff6117a457e 18593 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18591->18593 18592->18591 18594 7ff6117a45b1 18592->18594 18596 7ff6117a45a7 18593->18596 18597 7ff61179efb8 18594->18597 18596->18373 18604 7ff6117a4f7c EnterCriticalSection 18597->18604 18618 7ff6117a7fc4 EnterCriticalSection 18605->18618 18620 7ff6117a7df9 18619->18620 18621 7ff6117a7e0c 18619->18621 18622 7ff6117ab108 _get_daylight 11 API calls 18620->18622 18629 7ff6117a7a70 18621->18629 18624 7ff6117a7dfe 18622->18624 18626 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18624->18626 18627 7ff6117a7e0a 18626->18627 18627->18038 18636 7ff6117b01d8 EnterCriticalSection 18629->18636 18638 7ff611796d61 GetTokenInformation 18637->18638 18641 7ff611796de3 __std_exception_copy 18637->18641 18639 7ff611796d82 GetLastError 18638->18639 18640 7ff611796d8d 18638->18640 18639->18640 18639->18641 18640->18641 18644 7ff611796da9 GetTokenInformation 18640->18644 18642 7ff611796df6 CloseHandle 18641->18642 18643 7ff611796dfc 18641->18643 18642->18643 18643->18047 18644->18641 18645 7ff611796dcc 18644->18645 18645->18641 18646 7ff611796dd6 ConvertSidToStringSidW 18645->18646 18646->18641 18648 7ff611796e35 18647->18648 18651 7ff6117a49b8 18648->18651 18653 7ff6117a4a12 18651->18653 18652 7ff6117a4a37 18654 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18652->18654 18653->18652 18655 7ff6117a4a73 18653->18655 18657 7ff6117a4a61 18654->18657 18669 7ff6117a1ca8 18655->18669 18660 7ff61179a9b0 _log10_special 8 API calls 18657->18660 18658 7ff6117a4b54 18659 7ff6117aa0e4 __free_lconv_num 11 API calls 18658->18659 18659->18657 18662 7ff611796e58 18660->18662 18662->18054 18663 7ff6117a4b29 18667 7ff6117aa0e4 __free_lconv_num 11 API calls 18663->18667 18664 7ff6117a4b7a 18664->18658 18666 7ff6117a4b84 18664->18666 18665 7ff6117a4b20 18665->18658 18665->18663 18668 7ff6117aa0e4 __free_lconv_num 11 API calls 18666->18668 18667->18657 18668->18657 18670 7ff6117a1ce6 18669->18670 18675 7ff6117a1cd6 18669->18675 18671 7ff6117a1cef 18670->18671 18676 7ff6117a1d1d 18670->18676 18673 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18671->18673 18672 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18674 7ff6117a1d15 18672->18674 18673->18674 18674->18658 18674->18663 18674->18664 18674->18665 18675->18672 18676->18674 18676->18675 18680 7ff6117a32f0 18676->18680 18713 7ff6117a2440 18676->18713 18750 7ff6117a1230 18676->18750 18681 7ff6117a33a3 18680->18681 18682 7ff6117a3332 18680->18682 18685 7ff6117a33a8 18681->18685 18686 7ff6117a33fc 18681->18686 18683 7ff6117a3338 18682->18683 18684 7ff6117a33cd 18682->18684 18687 7ff6117a333d 18683->18687 18688 7ff6117a336c 18683->18688 18769 7ff6117a01cc 18684->18769 18689 7ff6117a33aa 18685->18689 18690 7ff6117a33dd 18685->18690 18691 7ff6117a340b 18686->18691 18693 7ff6117a3413 18686->18693 18694 7ff6117a3406 18686->18694 18687->18693 18695 7ff6117a3343 18687->18695 18688->18691 18688->18695 18700 7ff6117a334c 18689->18700 18701 7ff6117a33b9 18689->18701 18776 7ff61179fdbc 18690->18776 18711 7ff6117a343c 18691->18711 18787 7ff6117a05dc 18691->18787 18783 7ff6117a3ff8 18693->18783 18694->18684 18694->18691 18695->18700 18702 7ff6117a337e 18695->18702 18709 7ff6117a3367 18695->18709 18700->18711 18753 7ff6117a3aa4 18700->18753 18701->18684 18704 7ff6117a33be 18701->18704 18702->18711 18763 7ff6117a3de0 18702->18763 18707 7ff6117a3ea4 37 API calls 18704->18707 18704->18711 18705 7ff61179a9b0 _log10_special 8 API calls 18706 7ff6117a3736 18705->18706 18706->18676 18707->18709 18708 7ff6117a4110 45 API calls 18712 7ff6117a3628 18708->18712 18709->18708 18709->18711 18709->18712 18711->18705 18712->18711 18794 7ff6117ae850 18712->18794 18714 7ff6117a244e 18713->18714 18715 7ff6117a2464 18713->18715 18716 7ff6117a33a3 18714->18716 18717 7ff6117a3332 18714->18717 18719 7ff6117a24a4 18714->18719 18718 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18715->18718 18715->18719 18722 7ff6117a33a8 18716->18722 18723 7ff6117a33fc 18716->18723 18720 7ff6117a3338 18717->18720 18721 7ff6117a33cd 18717->18721 18718->18719 18719->18676 18724 7ff6117a333d 18720->18724 18725 7ff6117a336c 18720->18725 18728 7ff6117a01cc 38 API calls 18721->18728 18726 7ff6117a33aa 18722->18726 18727 7ff6117a33dd 18722->18727 18729 7ff6117a3413 18723->18729 18731 7ff6117a3406 18723->18731 18735 7ff6117a340b 18723->18735 18724->18729 18732 7ff6117a3343 18724->18732 18725->18732 18725->18735 18730 7ff6117a334c 18726->18730 18739 7ff6117a33b9 18726->18739 18733 7ff61179fdbc 38 API calls 18727->18733 18746 7ff6117a3367 18728->18746 18736 7ff6117a3ff8 45 API calls 18729->18736 18734 7ff6117a3aa4 47 API calls 18730->18734 18749 7ff6117a343c 18730->18749 18731->18721 18731->18735 18732->18730 18737 7ff6117a337e 18732->18737 18732->18746 18733->18746 18734->18746 18738 7ff6117a05dc 38 API calls 18735->18738 18735->18749 18736->18746 18740 7ff6117a3de0 46 API calls 18737->18740 18737->18749 18738->18746 18739->18721 18741 7ff6117a33be 18739->18741 18740->18746 18744 7ff6117a3ea4 37 API calls 18741->18744 18741->18749 18742 7ff61179a9b0 _log10_special 8 API calls 18743 7ff6117a3736 18742->18743 18743->18676 18744->18746 18745 7ff6117a4110 45 API calls 18748 7ff6117a3628 18745->18748 18746->18745 18746->18748 18746->18749 18747 7ff6117ae850 46 API calls 18747->18748 18748->18747 18748->18749 18749->18742 18825 7ff61179f440 18750->18825 18754 7ff6117a3aca 18753->18754 18755 7ff61179eff8 12 API calls 18754->18755 18765 7ff6117a3e15 18763->18765 18770 7ff6117a01ff 18769->18770 18771 7ff6117a022e 18770->18771 18773 7ff6117a02eb 18770->18773 18775 7ff6117a026b 18771->18775 18806 7ff61179f0a0 18771->18806 18774 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18773->18774 18774->18775 18775->18709 18777 7ff61179fdef 18776->18777 18778 7ff61179fe1e 18777->18778 18780 7ff61179fedb 18777->18780 18779 7ff61179f0a0 12 API calls 18778->18779 18782 7ff61179fe5b 18778->18782 18779->18782 18781 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18780->18781 18781->18782 18782->18709 18784 7ff6117a403b 18783->18784 18786 7ff6117a403f __crtLCMapStringW 18784->18786 18814 7ff6117a4094 18784->18814 18786->18709 18789 7ff6117a060f 18787->18789 18788 7ff6117a063e 18790 7ff61179f0a0 12 API calls 18788->18790 18793 7ff6117a067b 18788->18793 18789->18788 18791 7ff6117a06fb 18789->18791 18790->18793 18792 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18791->18792 18792->18793 18793->18709 18826 7ff61179f475 18825->18826 18827 7ff61179f487 18825->18827 18828 7ff6117ab108 _get_daylight 11 API calls 18826->18828 18829 7ff61179f495 18827->18829 18834 7ff61179f4d1 18827->18834 18830 7ff61179f47a 18828->18830 18831 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 18829->18831 18832 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18830->18832 18839 7ff61179f485 18831->18839 18832->18839 18833 7ff61179f84d 18835 7ff6117ab108 _get_daylight 11 API calls 18833->18835 18833->18839 18834->18833 18836 7ff6117ab108 _get_daylight 11 API calls 18834->18836 18837 7ff61179fae1 18835->18837 18838 7ff61179f842 18836->18838 18840 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18837->18840 18841 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 18838->18841 18839->18676 18840->18839 18841->18833 18843 7ff611797635 18842->18843 18844 7ff6117a49b8 48 API calls 18843->18844 18845 7ff611797654 18844->18845 18845->18075 18881 7ff6117a8350 18846->18881 18850 7ff6117969ac 18849->18850 18851 7ff611797800 2 API calls 18850->18851 18852 7ff6117969cb 18851->18852 18853 7ff6117969d3 18852->18853 18854 7ff6117969e6 ExpandEnvironmentStringsW 18852->18854 18855 7ff611791e50 78 API calls 18853->18855 18856 7ff611796a0c __std_exception_copy 18854->18856 18922 7ff6117b1364 18881->18922 19012 7ff6117931a0 108 API calls 19011->19012 19013 7ff611791443 19012->19013 19014 7ff61179144b 19013->19014 19015 7ff61179146c 19013->19015 19017 7ff611791df0 81 API calls 19014->19017 19016 7ff61179eacc 73 API calls 19015->19016 19019 7ff611791481 19016->19019 19018 7ff61179145b 19017->19018 19018->18106 19020 7ff6117914a1 19019->19020 19021 7ff611791485 19019->19021 19023 7ff6117914d1 19020->19023 19024 7ff6117914b1 19020->19024 19022 7ff611791db0 80 API calls 19021->19022 19030 7ff61179149c __std_exception_copy 19022->19030 19027 7ff6117914d7 19023->19027 19032 7ff6117914ea 19023->19032 19025 7ff611791db0 80 API calls 19024->19025 19025->19030 19026 7ff61179e444 74 API calls 19028 7ff611791564 19026->19028 19035 7ff6117911d0 19027->19035 19028->18106 19030->19026 19031 7ff61179e794 _fread_nolock 53 API calls 19031->19032 19032->19030 19032->19031 19033 7ff611791576 19032->19033 19034 7ff611791db0 80 API calls 19033->19034 19034->19030 19036 7ff611791228 19035->19036 19037 7ff61179122f 19036->19037 19038 7ff611791257 19036->19038 19039 7ff611791df0 81 API calls 19037->19039 19041 7ff611791271 19038->19041 19042 7ff61179128d 19038->19042 19040 7ff611791242 19039->19040 19040->19030 19043 7ff611791db0 80 API calls 19041->19043 19044 7ff61179129f 19042->19044 19051 7ff6117912bb memcpy_s 19042->19051 19047 7ff611791288 __std_exception_copy 19043->19047 19045 7ff611791db0 80 API calls 19044->19045 19045->19047 19046 7ff61179e794 _fread_nolock 53 API calls 19046->19051 19047->19030 19048 7ff61179137f 19049 7ff611791df0 81 API calls 19048->19049 19049->19047 19051->19046 19051->19047 19051->19048 19052 7ff61179e508 37 API calls 19051->19052 19053 7ff61179eed4 19051->19053 19052->19051 19054 7ff61179ef04 19053->19054 19057 7ff61179ec24 19054->19057 19056 7ff61179ef22 19056->19051 19058 7ff61179ec71 19057->19058 19059 7ff61179ec44 19057->19059 19058->19056 19059->19058 19060 7ff61179ec4e 19059->19060 19061 7ff61179ec79 19059->19061 19062 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 19060->19062 19064 7ff61179eb64 19061->19064 19062->19058 19073 7ff61179314a 19072->19073 19074 7ff611797800 2 API calls 19073->19074 19075 7ff61179316f 19074->19075 19076 7ff61179a9b0 _log10_special 8 API calls 19075->19076 19077 7ff611793197 19076->19077 19077->18126 19079 7ff61179670e 19078->19079 19080 7ff611796832 19079->19080 19081 7ff611791bd0 49 API calls 19079->19081 19082 7ff61179a9b0 _log10_special 8 API calls 19080->19082 19087 7ff611796795 19081->19087 19083 7ff611796863 19082->19083 19083->18126 19084 7ff611791bd0 49 API calls 19084->19087 19085 7ff611793140 10 API calls 19085->19087 19086 7ff6117967eb 19088 7ff611797800 2 API calls 19086->19088 19087->19080 19087->19084 19087->19085 19087->19086 19089 7ff611796803 CreateDirectoryW 19088->19089 19089->19080 19089->19087 19091 7ff6117915b3 19090->19091 19092 7ff6117915d7 19090->19092 19179 7ff611791030 19091->19179 19093 7ff6117931a0 108 API calls 19092->19093 19096 7ff6117915eb 19093->19096 19095 7ff6117915b8 19097 7ff6117915ce 19095->19097 19100 7ff611791df0 81 API calls 19095->19100 19098 7ff6117915f3 19096->19098 19099 7ff61179161b 19096->19099 19097->18126 19101 7ff611791db0 80 API calls 19098->19101 19102 7ff6117931a0 108 API calls 19099->19102 19100->19097 19103 7ff61179160a 19101->19103 19104 7ff61179162f 19102->19104 19103->18126 19105 7ff611791651 19104->19105 19106 7ff611791637 19104->19106 19107 7ff61179eacc 73 API calls 19105->19107 19108 7ff611791df0 81 API calls 19106->19108 19109 7ff611791666 19107->19109 19110 7ff611791647 19108->19110 19111 7ff61179166a 19109->19111 19112 7ff61179168b 19109->19112 19114 7ff61179e444 74 API calls 19110->19114 19113 7ff611791db0 80 API calls 19111->19113 19115 7ff611791691 19112->19115 19116 7ff6117916a9 19112->19116 19122 7ff611791681 __std_exception_copy 19113->19122 19117 7ff6117917ad 19114->19117 19118 7ff6117911d0 89 API calls 19115->19118 19120 7ff6117916cb 19116->19120 19126 7ff6117916ec 19116->19126 19117->18126 19118->19122 19119 7ff61179e444 74 API calls 19119->19110 19121 7ff611791db0 80 API calls 19120->19121 19121->19122 19122->19119 19123 7ff61179e794 _fread_nolock 53 API calls 19123->19126 19124 7ff611791755 19127 7ff611791db0 80 API calls 19124->19127 19125 7ff61179eed4 76 API calls 19125->19126 19126->19122 19126->19123 19126->19124 19126->19125 19127->19122 19129 7ff611795b24 19128->19129 19130 7ff611795b6b 19128->19130 19129->19130 19218 7ff6117a4d10 19129->19218 19130->18126 19133 7ff611792d81 19132->19133 19134 7ff6117930c0 49 API calls 19133->19134 19135 7ff611792dbb 19134->19135 19136 7ff6117930c0 49 API calls 19135->19136 19137 7ff611792dcb 19136->19137 19138 7ff611792e1c 19137->19138 19139 7ff611792ded 19137->19139 19141 7ff611792cf0 51 API calls 19138->19141 19233 7ff611792cf0 19139->19233 19142 7ff611792e1a 19141->19142 19143 7ff611792e47 19142->19143 19144 7ff611792e7c 19142->19144 19240 7ff6117965d0 19143->19240 19146 7ff611792cf0 51 API calls 19144->19146 19148 7ff611792ea0 19146->19148 19151 7ff611792cf0 51 API calls 19148->19151 19157 7ff611792ef2 19148->19157 19149 7ff611792f73 19155 7ff6117918d0 114 API calls 19149->19155 19154 7ff611792ec9 19151->19154 19154->19157 19161 7ff611792cf0 51 API calls 19154->19161 19157->19149 19163 7ff611792f6c 19157->19163 19165 7ff611792ef7 19157->19165 19167 7ff611792f5b 19157->19167 19160 7ff611792f85 19161->19157 19163->19160 19163->19165 19168 7ff611791df0 81 API calls 19165->19168 19171 7ff611791df0 81 API calls 19167->19171 19171->19165 19177 7ff611791bd0 49 API calls 19176->19177 19178 7ff611793054 19177->19178 19178->18126 19180 7ff6117931a0 108 API calls 19179->19180 19181 7ff61179106b 19180->19181 19182 7ff611791073 19181->19182 19183 7ff611791088 19181->19183 19184 7ff611791df0 81 API calls 19182->19184 19185 7ff61179eacc 73 API calls 19183->19185 19190 7ff611791083 __std_exception_copy 19184->19190 19186 7ff61179109d 19185->19186 19187 7ff6117910a1 19186->19187 19188 7ff6117910bd 19186->19188 19189 7ff611791db0 80 API calls 19187->19189 19191 7ff6117910ed 19188->19191 19192 7ff6117910cd 19188->19192 19198 7ff6117910b8 __std_exception_copy 19189->19198 19190->19095 19194 7ff6117910f3 19191->19194 19201 7ff611791106 19191->19201 19193 7ff611791db0 80 API calls 19192->19193 19193->19198 19196 7ff6117911d0 89 API calls 19194->19196 19195 7ff61179e444 74 API calls 19197 7ff611791174 19195->19197 19196->19198 19197->19190 19204 7ff6117932d0 19197->19204 19198->19195 19200 7ff61179e794 _fread_nolock 53 API calls 19200->19201 19201->19198 19201->19200 19202 7ff6117911ac 19201->19202 19203 7ff611791db0 80 API calls 19202->19203 19203->19198 19205 7ff6117932e0 19204->19205 19219 7ff6117a4d4a 19218->19219 19220 7ff6117a4d1d 19218->19220 19221 7ff6117a4d6d 19219->19221 19225 7ff6117a4d89 19219->19225 19222 7ff6117ab108 _get_daylight 11 API calls 19220->19222 19230 7ff6117a4cd4 19220->19230 19224 7ff6117ab108 _get_daylight 11 API calls 19221->19224 19223 7ff6117a4d27 19222->19223 19226 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 19223->19226 19227 7ff6117a4d72 19224->19227 19228 7ff6117a4c38 45 API calls 19225->19228 19229 7ff6117a4d32 19226->19229 19231 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 19227->19231 19232 7ff6117a4d7d 19228->19232 19229->19129 19230->19129 19231->19232 19232->19129 19234 7ff611792d16 19233->19234 19235 7ff6117a4764 49 API calls 19234->19235 19236 7ff611792d3c 19235->19236 19237 7ff611792d4d 19236->19237 19238 7ff611793140 10 API calls 19236->19238 19237->19142 19239 7ff611792d5f 19238->19239 19239->19142 19241 7ff6117965e5 19240->19241 19242 7ff6117931a0 108 API calls 19241->19242 19243 7ff61179660b 19242->19243 19244 7ff611796632 19243->19244 19245 7ff6117931a0 108 API calls 19243->19245 19297 7ff6117a5ce8 19296->19297 19298 7ff6117a5d0e 19297->19298 19301 7ff6117a5d41 19297->19301 19299 7ff6117ab108 _get_daylight 11 API calls 19298->19299 19300 7ff6117a5d13 19299->19300 19304 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 19300->19304 19302 7ff6117a5d54 19301->19302 19303 7ff6117a5d47 19301->19303 19315 7ff6117aa7b0 19302->19315 19305 7ff6117ab108 _get_daylight 11 API calls 19303->19305 19307 7ff6117931f6 19304->19307 19305->19307 19307->18143 19328 7ff6117b01d8 EnterCriticalSection 19315->19328 19688 7ff6117a7694 19687->19688 19691 7ff6117a7170 19688->19691 19690 7ff6117a76ad 19690->18153 19692 7ff6117a718b 19691->19692 19693 7ff6117a71ba 19691->19693 19694 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 19692->19694 19701 7ff6117a4f7c EnterCriticalSection 19693->19701 19696 7ff6117a71ab 19694->19696 19696->19690 19703 7ff61179e269 19702->19703 19704 7ff61179e23b 19702->19704 19711 7ff61179e25b 19703->19711 19712 7ff6117a4f7c EnterCriticalSection 19703->19712 19705 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 19704->19705 19705->19711 19711->18157 19714 7ff611797800 2 API calls 19713->19714 19715 7ff6117973e4 LoadLibraryExW 19714->19715 19716 7ff611797403 __std_exception_copy 19715->19716 19716->18203 19718 7ff611796113 GetProcAddress 19717->19718 19719 7ff6117960e9 19717->19719 19718->19719 19720 7ff611796138 GetProcAddress 19718->19720 19721 7ff611791ed0 80 API calls 19719->19721 19720->19719 19722 7ff61179615d GetProcAddress 19720->19722 19723 7ff611796103 19721->19723 19722->19719 19724 7ff611796185 GetProcAddress 19722->19724 19723->18210 19724->19719 19725 7ff6117961ad GetProcAddress 19724->19725 19725->19719 19726 7ff6117961d5 GetProcAddress 19725->19726 19727 7ff6117961f1 19726->19727 19728 7ff6117961fd GetProcAddress 19726->19728 19727->19728 19729 7ff611796225 GetProcAddress 19728->19729 19730 7ff611796219 19728->19730 19730->19729 19776->18218 19777->18220 19779 7ff611794d65 19778->19779 19780 7ff611791bd0 49 API calls 19779->19780 19781 7ff611794da1 19780->19781 19782 7ff611794daa 19781->19782 19783 7ff611794dcd 19781->19783 19784 7ff611791df0 81 API calls 19782->19784 19785 7ff611793210 49 API calls 19783->19785 19786 7ff611794dc3 19784->19786 19787 7ff611794de5 19785->19787 19791 7ff61179a9b0 _log10_special 8 API calls 19786->19791 19788 7ff611794e03 19787->19788 19789 7ff611791df0 81 API calls 19787->19789 19790 7ff611793140 10 API calls 19788->19790 19789->19788 19792 7ff611794e0d 19790->19792 19793 7ff61179224e 19791->19793 19794 7ff611794e1b 19792->19794 19795 7ff6117973d0 3 API calls 19792->19795 19793->18231 19809 7ff611794ee0 19793->19809 19796 7ff611793210 49 API calls 19794->19796 19795->19794 19797 7ff611794e34 19796->19797 19798 7ff611794e59 19797->19798 19799 7ff611794e39 19797->19799 19801 7ff6117973d0 3 API calls 19798->19801 19800 7ff611791df0 81 API calls 19799->19800 19800->19786 19802 7ff611794e66 19801->19802 19803 7ff611794e72 19802->19803 19804 7ff611794ea9 19802->19804 19805 7ff611797800 2 API calls 19803->19805 19863 7ff6117942e0 GetProcAddress 19804->19863 19807 7ff611794e8a 19805->19807 19808 7ff611791ed0 80 API calls 19807->19808 19808->19786 19948 7ff611793eb0 19809->19948 19811 7ff611794f1a 19812 7ff611794f22 19811->19812 19813 7ff611794f33 19811->19813 19814 7ff611791df0 81 API calls 19812->19814 19955 7ff611793680 19813->19955 19847 7ff611794f2e 19814->19847 19817 7ff611794f3f 19818 7ff611791df0 81 API calls 19817->19818 19818->19847 19819 7ff611794f50 19820 7ff611794f5f 19819->19820 19821 7ff611794f70 19819->19821 19847->18227 19849 7ff611794a80 19848->19849 19849->19849 19850 7ff611794aa9 19849->19850 19853 7ff611794ac0 __std_exception_copy 19849->19853 19864 7ff611794302 19863->19864 19865 7ff611794327 GetProcAddress 19863->19865 19868 7ff611791ed0 80 API calls 19864->19868 19865->19864 19866 7ff61179434c GetProcAddress 19865->19866 19866->19864 19867 7ff611794371 GetProcAddress 19866->19867 19867->19864 19870 7ff61179431c 19868->19870 19870->19786 19950 7ff611793edc 19948->19950 19949 7ff611793ee4 19949->19811 19950->19949 19953 7ff611794084 19950->19953 19986 7ff6117a68c4 19950->19986 19951 7ff611794247 __std_exception_copy 19951->19811 19952 7ff6117933b0 47 API calls 19952->19953 19953->19951 19953->19952 19956 7ff6117936b0 19955->19956 19957 7ff61179a9b0 _log10_special 8 API calls 19956->19957 19958 7ff61179371a 19957->19958 19958->19817 19958->19819 19987 7ff6117a68f4 19986->19987 19990 7ff6117a5dc0 19987->19990 19989 7ff6117a6924 19989->19950 19991 7ff6117a5df1 19990->19991 19992 7ff6117a5e03 19990->19992 19993 7ff6117ab108 _get_daylight 11 API calls 19991->19993 19994 7ff6117a5e4d 19992->19994 19996 7ff6117a5e10 19992->19996 19995 7ff6117a5df6 19993->19995 19997 7ff6117a4110 45 API calls 19994->19997 20001 7ff6117a5e68 19994->20001 19999 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 19995->19999 20000 7ff6117aa3d8 _invalid_parameter_noinfo 37 API calls 19996->20000 19997->20001 20008 7ff6117a5e01 19999->20008 20000->20008 20002 7ff6117a5e8a 20001->20002 20011 7ff6117a684c 20001->20011 20003 7ff6117a5f2b 20002->20003 20004 7ff6117ab108 _get_daylight 11 API calls 20002->20004 20005 7ff6117ab108 _get_daylight 11 API calls 20003->20005 20003->20008 20006 7ff6117a5f20 20004->20006 20008->19989 20012 7ff6117a686f 20011->20012 20013 7ff6117a6886 20011->20013 20017 7ff6117afe68 20012->20017 20015 7ff6117a6874 20013->20015 20022 7ff6117afe98 20013->20022 20015->20001 20051->18234 20053 7ff6117aacd0 __GetCurrentState 45 API calls 20052->20053 20055 7ff6117a9fe1 20053->20055 20054 7ff6117aa08c __GetCurrentState 45 API calls 20056 7ff6117aa001 20054->20056 20055->20054 20985 7ff6117b14b0 20996 7ff6117b7444 20985->20996 20997 7ff6117b7451 20996->20997 20998 7ff6117aa0e4 __free_lconv_num 11 API calls 20997->20998 20999 7ff6117b746d 20997->20999 20998->20997 21000 7ff6117aa0e4 __free_lconv_num 11 API calls 20999->21000 21001 7ff6117b14b9 20999->21001 21000->20999 21002 7ff6117b01d8 EnterCriticalSection 21001->21002 21006 7ff61179afb0 21007 7ff61179afc0 21006->21007 21023 7ff6117a9760 21007->21023 21009 7ff61179afcc 21029 7ff61179b2b8 21009->21029 21011 7ff61179b59c 7 API calls 21013 7ff61179b065 21011->21013 21012 7ff61179afe4 _RTC_Initialize 21021 7ff61179b039 21012->21021 21034 7ff61179b468 21012->21034 21015 7ff61179aff9 21037 7ff6117a8bd0 21015->21037 21021->21011 21022 7ff61179b055 21021->21022 21024 7ff6117a9771 21023->21024 21025 7ff6117ab108 _get_daylight 11 API calls 21024->21025 21028 7ff6117a9779 21024->21028 21026 7ff6117a9788 21025->21026 21027 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 21026->21027 21027->21028 21028->21009 21030 7ff61179b2c9 21029->21030 21033 7ff61179b2ce __scrt_release_startup_lock 21029->21033 21031 7ff61179b59c 7 API calls 21030->21031 21030->21033 21032 7ff61179b342 21031->21032 21033->21012 21062 7ff61179b42c 21034->21062 21036 7ff61179b471 21036->21015 21038 7ff6117a8bf0 21037->21038 21060 7ff61179b005 21037->21060 21039 7ff6117a8c0e GetModuleFileNameW 21038->21039 21040 7ff6117a8bf8 21038->21040 21044 7ff6117a8c39 21039->21044 21041 7ff6117ab108 _get_daylight 11 API calls 21040->21041 21042 7ff6117a8bfd 21041->21042 21043 7ff6117aa4a4 _invalid_parameter_noinfo 37 API calls 21042->21043 21043->21060 21045 7ff6117a8b70 11 API calls 21044->21045 21046 7ff6117a8c79 21045->21046 21047 7ff6117a8c81 21046->21047 21053 7ff6117a8c99 21046->21053 21048 7ff6117ab108 _get_daylight 11 API calls 21047->21048 21049 7ff6117a8c86 21048->21049 21050 7ff6117aa0e4 __free_lconv_num 11 API calls 21049->21050 21050->21060 21051 7ff6117a8cbb 21052 7ff6117aa0e4 __free_lconv_num 11 API calls 21051->21052 21052->21060 21053->21051 21054 7ff6117a8d00 21053->21054 21055 7ff6117a8ce7 21053->21055 21058 7ff6117aa0e4 __free_lconv_num 11 API calls 21054->21058 21056 7ff6117aa0e4 __free_lconv_num 11 API calls 21055->21056 21057 7ff6117a8cf0 21056->21057 21059 7ff6117aa0e4 __free_lconv_num 11 API calls 21057->21059 21058->21051 21059->21060 21060->21021 21061 7ff61179b53c InitializeSListHead 21060->21061 21063 7ff61179b446 21062->21063 21065 7ff61179b43f 21062->21065 21066 7ff6117a9dec 21063->21066 21065->21036 21069 7ff6117a9a28 21066->21069 21076 7ff6117b01d8 EnterCriticalSection 21069->21076

                                            Executed Functions

                                            Function 00007FF6117B6A4C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 419 7ff6117b6a4c-7ff6117b6abf call 7ff6117b6780 422 7ff6117b6ac1-7ff6117b6aca call 7ff6117ab0e8 419->422 423 7ff6117b6ad9-7ff6117b6ae3 call 7ff6117a80d4 419->423 428 7ff6117b6acd-7ff6117b6ad4 call 7ff6117ab108 422->428 429 7ff6117b6afe-7ff6117b6b67 CreateFileW 423->429 430 7ff6117b6ae5-7ff6117b6afc call 7ff6117ab0e8 call 7ff6117ab108 423->430 442 7ff6117b6e1a-7ff6117b6e3a 428->442 433 7ff6117b6be4-7ff6117b6bef GetFileType 429->433 434 7ff6117b6b69-7ff6117b6b6f 429->434 430->428 436 7ff6117b6bf1-7ff6117b6c2c GetLastError call 7ff6117ab07c CloseHandle 433->436 437 7ff6117b6c42-7ff6117b6c49 433->437 439 7ff6117b6bb1-7ff6117b6bdf GetLastError call 7ff6117ab07c 434->439 440 7ff6117b6b71-7ff6117b6b75 434->440 436->428 453 7ff6117b6c32-7ff6117b6c3d call 7ff6117ab108 436->453 445 7ff6117b6c51-7ff6117b6c54 437->445 446 7ff6117b6c4b-7ff6117b6c4f 437->446 439->428 440->439 447 7ff6117b6b77-7ff6117b6baf CreateFileW 440->447 451 7ff6117b6c5a-7ff6117b6caf call 7ff6117a7fec 445->451 452 7ff6117b6c56 445->452 446->451 447->433 447->439 457 7ff6117b6cb1-7ff6117b6cbd call 7ff6117b6988 451->457 458 7ff6117b6cce-7ff6117b6cff call 7ff6117b6500 451->458 452->451 453->428 457->458 464 7ff6117b6cbf 457->464 465 7ff6117b6d01-7ff6117b6d03 458->465 466 7ff6117b6d05-7ff6117b6d47 458->466 467 7ff6117b6cc1-7ff6117b6cc9 call 7ff6117aa648 464->467 465->467 468 7ff6117b6d69-7ff6117b6d74 466->468 469 7ff6117b6d49-7ff6117b6d4d 466->469 467->442 472 7ff6117b6e18 468->472 473 7ff6117b6d7a-7ff6117b6d7e 468->473 469->468 471 7ff6117b6d4f-7ff6117b6d64 469->471 471->468 472->442 473->472 474 7ff6117b6d84-7ff6117b6dc9 CloseHandle CreateFileW 473->474 476 7ff6117b6dfe-7ff6117b6e13 474->476 477 7ff6117b6dcb-7ff6117b6df9 GetLastError call 7ff6117ab07c call 7ff6117a8214 474->477 476->472 477->476
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                            • String ID:
                                            • API String ID: 1617910340-0
                                            • Opcode ID: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                            • Instruction ID: e9b766d30431cdaac40cbc9405adc1d7e96f258cced66ba8ef2a24421e978574
                                            • Opcode Fuzzy Hash: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                            • Instruction Fuzzy Hash: 29C1B036B28E4585EB10CF65D4802BD3765FB49FA8B158225EF2E97796CF38E059C304
                                            Function 00007FF6117976F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                            • Instruction ID: 972c081b9856a23970fe85ca7da3338c6ec47a1dfcf132f97310e61f928a95b9
                                            • Opcode Fuzzy Hash: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                            • Instruction Fuzzy Hash: E1F0AF22A18A4A86FBA08B60B45937AA394BB84B38F404735DA6D427D5DF3CD00D8A00
                                            Function 00007FF6117B06D4 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentFeaturePresentProcessProcessor
                                            • String ID:
                                            • API String ID: 1010374628-0
                                            • Opcode ID: c63311b01d1a6e4693b2802a553c6efb69c7371c9394ff3b7d96d243a04cbdf2
                                            • Instruction ID: 1f5f7c076d9c08a103e72b5fca96edc431ac9a2c262d54a0528897a4e6493510
                                            • Opcode Fuzzy Hash: c63311b01d1a6e4693b2802a553c6efb69c7371c9394ff3b7d96d243a04cbdf2
                                            • Instruction Fuzzy Hash: 1E028221A1DE4784FF66AB12A40427A26ACAF41FB0F588635DD6EC67D3DF3DE4498304
                                            Function 00007FF611791000 Relevance: 40.6, APIs: 1, Strings: 22, Instructions: 358COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 7ff611791000-7ff6117926f6 call 7ff61179acb0 call 7ff6117a4f00 call 7ff6117a5220 call 7ff6117925a0 10 7ff611792704-7ff611792726 call 7ff6117918d0 0->10 11 7ff6117926f8-7ff6117926ff 0->11 17 7ff611792836-7ff61179284c call 7ff6117931a0 10->17 18 7ff61179272c-7ff611792743 call 7ff611791bd0 10->18 12 7ff611792a5e-7ff611792a79 call 7ff61179a9b0 11->12 23 7ff61179284e-7ff61179287b call 7ff611796870 17->23 24 7ff611792885-7ff61179289a call 7ff611791df0 17->24 22 7ff611792748-7ff61179278c 18->22 25 7ff611792981-7ff611792992 22->25 26 7ff611792792-7ff61179279a 22->26 41 7ff61179289f-7ff6117928be call 7ff611791bd0 23->41 42 7ff61179287d-7ff611792880 call 7ff61179e444 23->42 45 7ff611792a56 24->45 28 7ff611792994-7ff611792999 call 7ff611797440 25->28 29 7ff61179299b-7ff61179299d 25->29 31 7ff6117927a0-7ff6117927a4 26->31 37 7ff6117929a4-7ff6117929b6 call 7ff611797040 28->37 36 7ff61179299f call 7ff6117975b0 29->36 29->37 32 7ff61179295e-7ff611792973 call 7ff6117918c0 31->32 33 7ff6117927aa-7ff6117927c2 call 7ff6117a51a0 31->33 32->31 52 7ff611792979 32->52 53 7ff6117927cf-7ff6117927e7 call 7ff6117a51a0 33->53 54 7ff6117927c4-7ff6117927c8 33->54 36->37 56 7ff6117929b8-7ff6117929be 37->56 57 7ff6117929dd-7ff6117929ec 37->57 61 7ff6117928c1-7ff6117928ca 41->61 42->24 45->12 52->25 71 7ff6117927f4-7ff61179280c call 7ff6117a51a0 53->71 72 7ff6117927e9-7ff6117927ed 53->72 54->53 62 7ff6117929c0-7ff6117929c8 56->62 63 7ff6117929ca-7ff6117929d8 call 7ff6117a4c1c 56->63 58 7ff6117929f2-7ff611792a10 call 7ff611797040 call 7ff6117971b0 57->58 59 7ff611792ab3-7ff611792ad2 call 7ff6117930c0 57->59 87 7ff611792a12-7ff611792a15 58->87 88 7ff611792a84-7ff611792a93 call 7ff611797490 58->88 75 7ff611792ae0-7ff611792af1 call 7ff611791bd0 59->75 76 7ff611792ad4-7ff611792ade call 7ff611793210 59->76 61->61 67 7ff6117928cc-7ff6117928e9 call 7ff6117918d0 61->67 62->63 63->57 67->22 79 7ff6117928ef-7ff611792900 call 7ff611791df0 67->79 71->32 89 7ff611792812-7ff611792824 call 7ff6117a5260 71->89 72->71 86 7ff611792af6-7ff611792b10 call 7ff611797800 75->86 76->86 79->45 99 7ff611792b1e-7ff611792b30 SetDllDirectoryW 86->99 100 7ff611792b12-7ff611792b19 86->100 87->88 93 7ff611792a17-7ff611792a3e call 7ff611791bd0 87->93 101 7ff611792a9e-7ff611792aa1 call 7ff611796e70 88->101 102 7ff611792a95-7ff611792a9c 88->102 104 7ff611792905-7ff611792917 call 7ff6117a5260 89->104 105 7ff61179282a-7ff611792831 89->105 111 7ff611792a40 93->111 112 7ff611792a7a-7ff611792a82 call 7ff6117a4c1c 93->112 108 7ff611792b3f-7ff611792b5b call 7ff6117957b0 call 7ff611795d20 99->108 109 7ff611792b32-7ff611792b39 99->109 107 7ff611792a47 call 7ff611791df0 100->107 116 7ff611792aa6-7ff611792aa8 101->116 102->107 120 7ff611792922-7ff611792934 call 7ff6117a5260 104->120 121 7ff611792919-7ff611792920 104->121 105->32 125 7ff611792a4c-7ff611792a4e 107->125 138 7ff611792bb6-7ff611792bb9 call 7ff611795760 108->138 139 7ff611792b5d-7ff611792b63 108->139 109->108 115 7ff611792c95-7ff611792c9e 109->115 111->107 112->86 122 7ff611792ca0-7ff611792ca5 call 7ff611797440 115->122 123 7ff611792ca7-7ff611792ca9 115->123 116->86 124 7ff611792aaa-7ff611792ab1 116->124 140 7ff61179293f-7ff611792958 call 7ff6117a5260 120->140 141 7ff611792936-7ff61179293d 120->141 121->32 129 7ff611792cb0-7ff611792ce2 call 7ff611792590 call 7ff611792240 call 7ff611792560 call 7ff6117959d0 call 7ff611795760 122->129 123->129 130 7ff611792cab call 7ff6117975b0 123->130 124->107 125->45 130->129 149 7ff611792bbe-7ff611792bc5 138->149 143 7ff611792b65-7ff611792b72 call 7ff6117957f0 139->143 144 7ff611792b7d-7ff611792b87 call 7ff611795b90 139->144 140->32 141->32 143->144 157 7ff611792b74-7ff611792b7b 143->157 159 7ff611792b92-7ff611792ba0 call 7ff611795ef0 144->159 160 7ff611792b89-7ff611792b90 144->160 149->115 154 7ff611792bcb-7ff611792bd5 call 7ff6117922a0 149->154 154->125 166 7ff611792bdb-7ff611792bf0 call 7ff611797420 154->166 162 7ff611792ba9-7ff611792bb1 call 7ff611791df0 call 7ff6117959d0 157->162 159->149 172 7ff611792ba2 159->172 160->162 162->138 176 7ff611792bf2-7ff611792bf7 call 7ff611797440 166->176 177 7ff611792bf9-7ff611792bfb 166->177 172->162 179 7ff611792c02-7ff611792c18 call 7ff611797150 call 7ff6117971f0 176->179 177->179 180 7ff611792bfd call 7ff6117975b0 177->180 186 7ff611792c1d-7ff611792c45 call 7ff6117959d0 call 7ff611795760 call 7ff6117970f0 179->186 180->179 193 7ff611792c82-7ff611792c90 call 7ff611791880 186->193 194 7ff611792c47-7ff611792c55 186->194 193->125 196 7ff611792c76-7ff611792c7d call 7ff611791df0 194->196 197 7ff611792c57-7ff611792c71 call 7ff611791df0 call 7ff611791880 194->197 196->193 197->125
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileModuleName
                                            • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$hide-early$hide-late$minimize-early$minimize-late$pkg$pyi-contents-directory$pyi-hide-console$pyi-runtime-tmpdir
                                            • API String ID: 514040917-560148345
                                            • Opcode ID: 2c7d76c8d00902d27f2ae3c6124860acbe6f349ed5bc69481431023141730cb7
                                            • Instruction ID: d8ac9cbfc25f4d0f4dd686041a56137b430c47ef5e3fd74e37701a3aed9e935a
                                            • Opcode Fuzzy Hash: 2c7d76c8d00902d27f2ae3c6124860acbe6f349ed5bc69481431023141730cb7
                                            • Instruction Fuzzy Hash: EE024A21A0CE8A91EB21EB2194652F92399AF54FB4F844032DE4DC7797EF2CE65CC350
                                            Function 00007FF6117918D0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 204 7ff6117918d0-7ff61179190b call 7ff6117931a0 207 7ff611791ba1-7ff611791bc5 call 7ff61179a9b0 204->207 208 7ff611791911-7ff611791951 call 7ff611796870 204->208 213 7ff611791b8e-7ff611791b91 call 7ff61179e444 208->213 214 7ff611791957-7ff611791967 call 7ff61179eacc 208->214 218 7ff611791b96-7ff611791b9e 213->218 219 7ff611791981-7ff61179199d call 7ff61179e794 214->219 220 7ff611791969-7ff61179197c call 7ff611791db0 214->220 218->207 225 7ff61179199f-7ff6117919b2 call 7ff611791db0 219->225 226 7ff6117919b7-7ff6117919cc call 7ff6117a4c14 219->226 220->213 225->213 231 7ff6117919ce-7ff6117919e1 call 7ff611791db0 226->231 232 7ff6117919e6-7ff611791a67 call 7ff611791bd0 * 2 call 7ff61179eacc 226->232 231->213 240 7ff611791a6c-7ff611791a7f call 7ff6117a4c30 232->240 243 7ff611791a81-7ff611791a94 call 7ff611791db0 240->243 244 7ff611791a99-7ff611791ab2 call 7ff61179e794 240->244 243->213 249 7ff611791ab4-7ff611791ac7 call 7ff611791db0 244->249 250 7ff611791acc-7ff611791ae8 call 7ff61179e508 244->250 249->213 255 7ff611791aea-7ff611791af6 call 7ff611791df0 250->255 256 7ff611791afb-7ff611791b09 250->256 255->213 256->213 258 7ff611791b0f-7ff611791b1e 256->258 259 7ff611791b20-7ff611791b26 258->259 261 7ff611791b40-7ff611791b4f 259->261 262 7ff611791b28-7ff611791b35 259->262 261->261 263 7ff611791b51-7ff611791b5a 261->263 262->263 264 7ff611791b6f 263->264 265 7ff611791b5c-7ff611791b5f 263->265 267 7ff611791b71-7ff611791b8c 264->267 265->264 266 7ff611791b61-7ff611791b64 265->266 266->264 268 7ff611791b66-7ff611791b69 266->268 267->213 267->259 268->264 269 7ff611791b6b-7ff611791b6d 268->269 269->267
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _fread_nolock
                                            • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                            • API String ID: 840049012-3497178890
                                            • Opcode ID: 9448289d850b2c1ac30b1d105f1acf65113301373b305ca5433322570891db4a
                                            • Instruction ID: 8c620b0e41646f975d9f01cc0a29356eb7411ee7b16a36e7b6d7574a7679abb4
                                            • Opcode Fuzzy Hash: 9448289d850b2c1ac30b1d105f1acf65113301373b305ca5433322570891db4a
                                            • Instruction Fuzzy Hash: B6719571A09E8A85EB60DB14E4602F923A9EF44FB4F448039D98DC779BEE2CE55C8740
                                            Function 00007FF6117915A0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 270 7ff6117915a0-7ff6117915b1 271 7ff6117915b3-7ff6117915bc call 7ff611791030 270->271 272 7ff6117915d7-7ff6117915f1 call 7ff6117931a0 270->272 277 7ff6117915ce-7ff6117915d6 271->277 278 7ff6117915be-7ff6117915c9 call 7ff611791df0 271->278 279 7ff6117915f3-7ff61179161a call 7ff611791db0 272->279 280 7ff61179161b-7ff611791635 call 7ff6117931a0 272->280 278->277 286 7ff611791651-7ff611791668 call 7ff61179eacc 280->286 287 7ff611791637-7ff61179164c call 7ff611791df0 280->287 293 7ff61179166a-7ff611791686 call 7ff611791db0 286->293 294 7ff61179168b-7ff61179168f 286->294 292 7ff6117917a5-7ff6117917a8 call 7ff61179e444 287->292 300 7ff6117917ad-7ff6117917bf 292->300 303 7ff61179179d-7ff6117917a0 call 7ff61179e444 293->303 297 7ff611791691-7ff61179169d call 7ff6117911d0 294->297 298 7ff6117916a9-7ff6117916c9 call 7ff6117a4c30 294->298 304 7ff6117916a2-7ff6117916a4 297->304 307 7ff6117916cb-7ff6117916e7 call 7ff611791db0 298->307 308 7ff6117916ec-7ff6117916f7 298->308 303->292 304->303 315 7ff611791793-7ff611791798 307->315 309 7ff611791786-7ff61179178e call 7ff6117a4c1c 308->309 310 7ff6117916fd-7ff611791706 308->310 309->315 313 7ff611791710-7ff611791732 call 7ff61179e794 310->313 319 7ff611791734-7ff61179174c call 7ff61179eed4 313->319 320 7ff611791765-7ff61179176c 313->320 315->303 325 7ff61179174e-7ff611791751 319->325 326 7ff611791755-7ff611791763 319->326 322 7ff611791773-7ff61179177c call 7ff611791db0 320->322 329 7ff611791781 322->329 325->313 328 7ff611791753 325->328 326->322 328->329 329->309
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                            • API String ID: 2050909247-1550345328
                                            • Opcode ID: ad0231a84cc8569aabf7d8f4a1d83debc7dfa7bbdc5c0a10b081c2b7dfb0dded
                                            • Instruction ID: 99e1742a57beb6e2366d316894f4f5feb767fe9c88fea5a115e0195d192c97b3
                                            • Opcode Fuzzy Hash: ad0231a84cc8569aabf7d8f4a1d83debc7dfa7bbdc5c0a10b081c2b7dfb0dded
                                            • Instruction Fuzzy Hash: 2B518061B08E4B92EB209B25A4601B92368FF44FB4F884135EE1D87797EF7CE56C8340
                                            Function 00007FF611796E70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetTempPathW.KERNEL32(?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF611796F14
                                            • GetCurrentProcessId.KERNEL32(?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF611796F1A
                                            • CreateDirectoryW.KERNELBASE(?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF611796F5C
                                              • Part of subcall function 00007FF611797040: GetEnvironmentVariableW.KERNEL32(00007FF6117929B0), ref: 00007FF611797077
                                              • Part of subcall function 00007FF611797040: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF611797099
                                              • Part of subcall function 00007FF6117A7DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117A7E05
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Environment$CreateCurrentDirectoryExpandPathProcessStringsTempVariable_invalid_parameter_noinfo
                                            • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                            • API String ID: 365913792-1339014028
                                            • Opcode ID: 3ace134f01f87639eb6351f9f1db5e29782779556c5dab28e5d311e0ab063356
                                            • Instruction ID: 9b778db8ca6e903e2bdd99fae5b74190eb77ad9348f2a70066c6b77c34212508
                                            • Opcode Fuzzy Hash: 3ace134f01f87639eb6351f9f1db5e29782779556c5dab28e5d311e0ab063356
                                            • Instruction Fuzzy Hash: 4041D311A09E4640EB20EB25E8612F952A9AF48FF4F484131ED0EC77A7EE3CE54CC700
                                            Function 00007FF6117971F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                            • String ID: CreateProcessW$Failed to create child process!
                                            • API String ID: 2895956056-699529898
                                            • Opcode ID: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                            • Instruction ID: 81192d72e0f3bbf235e55dd5db980eb5059b6b670ab155f4c81bbd574a49b8b5
                                            • Opcode Fuzzy Hash: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                            • Instruction Fuzzy Hash: C9412132A08F8685EB209B64F4552BAA3A8FB85774F544335E6AD877D6DF7CD0488B00
                                            Function 00007FF6117911D0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 482 7ff6117911d0-7ff61179122d call 7ff61179a1f0 485 7ff61179122f-7ff611791256 call 7ff611791df0 482->485 486 7ff611791257-7ff61179126f call 7ff6117a4c30 482->486 491 7ff611791271-7ff611791288 call 7ff611791db0 486->491 492 7ff61179128d-7ff61179129d call 7ff6117a4c30 486->492 499 7ff6117913e9-7ff6117913fe call 7ff611799ed0 call 7ff6117a4c1c * 2 491->499 497 7ff61179129f-7ff6117912b6 call 7ff611791db0 492->497 498 7ff6117912bb-7ff6117912cd 492->498 497->499 501 7ff6117912d0-7ff6117912f5 call 7ff61179e794 498->501 514 7ff611791403-7ff61179141d 499->514 508 7ff6117913e1 501->508 509 7ff6117912fb-7ff611791305 call 7ff61179e508 501->509 508->499 509->508 515 7ff61179130b-7ff611791317 509->515 516 7ff611791320-7ff611791348 call 7ff611798630 515->516 519 7ff6117913c6-7ff6117913dc call 7ff611791df0 516->519 520 7ff61179134a-7ff61179134d 516->520 519->508 522 7ff61179134f-7ff611791359 520->522 523 7ff6117913c1 520->523 524 7ff611791384-7ff611791387 522->524 525 7ff61179135b-7ff611791369 call 7ff61179eed4 522->525 523->519 527 7ff611791389-7ff611791397 call 7ff6117b9f10 524->527 528 7ff61179139a-7ff61179139f 524->528 529 7ff61179136e-7ff611791371 525->529 527->528 528->516 531 7ff6117913a5-7ff6117913a8 528->531 532 7ff61179137f-7ff611791382 529->532 533 7ff611791373-7ff61179137d call 7ff61179e508 529->533 535 7ff6117913aa-7ff6117913ad 531->535 536 7ff6117913bc-7ff6117913bf 531->536 532->519 533->528 533->532 535->519 538 7ff6117913af-7ff6117913b7 535->538 536->508 538->501
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                            • API String ID: 2050909247-2813020118
                                            • Opcode ID: b5fe0176d314eaee69bbf14cc61c4a8f8676714c6b78611b9ebb58fe590763f0
                                            • Instruction ID: 8d1dd6cadd561c1cfbe894a3c69b4f064ef0f39e67a04b7eae93a1ffdf6bfde8
                                            • Opcode Fuzzy Hash: b5fe0176d314eaee69bbf14cc61c4a8f8676714c6b78611b9ebb58fe590763f0
                                            • Instruction Fuzzy Hash: 6451B662A08E4645E7609B15B4603BA62A5BF44BB4F484139ED4DC7BD7EF3CE55DC300
                                            Function 00007FF6117AB6D0 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 540 7ff6117ab6d0-7ff6117ab6f6 541 7ff6117ab711-7ff6117ab715 540->541 542 7ff6117ab6f8-7ff6117ab70c call 7ff6117ab0e8 call 7ff6117ab108 540->542 544 7ff6117abaeb-7ff6117abaf7 call 7ff6117ab0e8 call 7ff6117ab108 541->544 545 7ff6117ab71b-7ff6117ab722 541->545 558 7ff6117abb02 542->558 561 7ff6117abafd call 7ff6117aa4a4 544->561 545->544 547 7ff6117ab728-7ff6117ab756 545->547 547->544 550 7ff6117ab75c-7ff6117ab763 547->550 553 7ff6117ab765-7ff6117ab777 call 7ff6117ab0e8 call 7ff6117ab108 550->553 554 7ff6117ab77c-7ff6117ab77f 550->554 553->561 556 7ff6117ab785-7ff6117ab78b 554->556 557 7ff6117abae7-7ff6117abae9 554->557 556->557 563 7ff6117ab791-7ff6117ab794 556->563 562 7ff6117abb05-7ff6117abb1c 557->562 558->562 561->558 563->553 567 7ff6117ab796-7ff6117ab7bb 563->567 569 7ff6117ab7ee-7ff6117ab7f5 567->569 570 7ff6117ab7bd-7ff6117ab7bf 567->570 571 7ff6117ab7f7-7ff6117ab81f call 7ff6117ad444 call 7ff6117aa0e4 * 2 569->571 572 7ff6117ab7ca-7ff6117ab7e1 call 7ff6117ab0e8 call 7ff6117ab108 call 7ff6117aa4a4 569->572 573 7ff6117ab7c1-7ff6117ab7c8 570->573 574 7ff6117ab7e6-7ff6117ab7ec 570->574 601 7ff6117ab821-7ff6117ab837 call 7ff6117ab108 call 7ff6117ab0e8 571->601 602 7ff6117ab83c-7ff6117ab867 call 7ff6117abef8 571->602 606 7ff6117ab974 572->606 573->572 573->574 575 7ff6117ab86c-7ff6117ab883 574->575 578 7ff6117ab8fe-7ff6117ab908 call 7ff6117b371c 575->578 579 7ff6117ab885-7ff6117ab88d 575->579 592 7ff6117ab90e-7ff6117ab923 578->592 593 7ff6117ab992 578->593 579->578 582 7ff6117ab88f-7ff6117ab891 579->582 582->578 586 7ff6117ab893-7ff6117ab8a9 582->586 586->578 590 7ff6117ab8ab-7ff6117ab8b7 586->590 590->578 595 7ff6117ab8b9-7ff6117ab8bb 590->595 592->593 598 7ff6117ab925-7ff6117ab937 GetConsoleMode 592->598 597 7ff6117ab997-7ff6117ab9b7 ReadFile 593->597 595->578 600 7ff6117ab8bd-7ff6117ab8d5 595->600 603 7ff6117abab1-7ff6117ababa GetLastError 597->603 604 7ff6117ab9bd-7ff6117ab9c5 597->604 598->593 605 7ff6117ab939-7ff6117ab941 598->605 600->578 611 7ff6117ab8d7-7ff6117ab8e3 600->611 601->606 602->575 608 7ff6117abad7-7ff6117abada 603->608 609 7ff6117ababc-7ff6117abad2 call 7ff6117ab108 call 7ff6117ab0e8 603->609 604->603 613 7ff6117ab9cb 604->613 605->597 607 7ff6117ab943-7ff6117ab965 ReadConsoleW 605->607 610 7ff6117ab977-7ff6117ab981 call 7ff6117aa0e4 606->610 615 7ff6117ab986-7ff6117ab990 607->615 616 7ff6117ab967 GetLastError 607->616 620 7ff6117abae0-7ff6117abae2 608->620 621 7ff6117ab96d-7ff6117ab96f call 7ff6117ab07c 608->621 609->606 610->562 611->578 619 7ff6117ab8e5-7ff6117ab8e7 611->619 623 7ff6117ab9d2-7ff6117ab9e7 613->623 615->623 616->621 619->578 628 7ff6117ab8e9-7ff6117ab8f9 619->628 620->610 621->606 623->610 630 7ff6117ab9e9-7ff6117ab9f4 623->630 628->578 633 7ff6117ab9f6-7ff6117aba0f call 7ff6117ab2e8 630->633 634 7ff6117aba1b-7ff6117aba23 630->634 640 7ff6117aba14-7ff6117aba16 633->640 636 7ff6117aba9f-7ff6117abaac call 7ff6117ab128 634->636 637 7ff6117aba25-7ff6117aba37 634->637 636->640 641 7ff6117aba92-7ff6117aba9a 637->641 642 7ff6117aba39 637->642 640->610 641->610 644 7ff6117aba3e-7ff6117aba45 642->644 645 7ff6117aba81-7ff6117aba8c 644->645 646 7ff6117aba47-7ff6117aba4b 644->646 645->641 647 7ff6117aba67 646->647 648 7ff6117aba4d-7ff6117aba54 646->648 650 7ff6117aba6d-7ff6117aba7d 647->650 648->647 649 7ff6117aba56-7ff6117aba5a 648->649 649->647 651 7ff6117aba5c-7ff6117aba65 649->651 650->644 652 7ff6117aba7f 650->652 651->650 652->641
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: a28cd08252ad5064423087568c49e9a7316f24dfb60174969f3a4ac2ff351578
                                            • Instruction ID: cf103560c57645994348c8cee29478c094d9242e750a8d437430bedc28ea3a6d
                                            • Opcode Fuzzy Hash: a28cd08252ad5064423087568c49e9a7316f24dfb60174969f3a4ac2ff351578
                                            • Instruction Fuzzy Hash: D0C1B422A0CF8681E7609B15A4442BE3B58EB81FA0F5D4531DA4E837B3DF7DE54D8701
                                            Function 00007FF611796D20 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                            • String ID:
                                            • API String ID: 995526605-0
                                            • Opcode ID: 6d514f459d47cfe2cf0c15e0a3103aa6adbf6aa1491c99449bd82d5f21bc2020
                                            • Instruction ID: 33e3dfd30ae3986983cf226a419761b4a119afd9c026720583e9fbf84302dbfe
                                            • Opcode Fuzzy Hash: 6d514f459d47cfe2cf0c15e0a3103aa6adbf6aa1491c99449bd82d5f21bc2020
                                            • Instruction Fuzzy Hash: 67212121A0CE4642EB609B55A45423AA3A8EF85BB0F544335EA7D83BE6DF6CD48DC700
                                            Function 00007FF6117925A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,00007FF6117926F4), ref: 00007FF6117925D1
                                              • Part of subcall function 00007FF611791ED0: GetLastError.KERNEL32 ref: 00007FF611791EEC
                                              • Part of subcall function 00007FF611791ED0: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6117925EE,?,00007FF6117926F4), ref: 00007FF611791F56
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileFormatLastMessageModuleName
                                            • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                            • API String ID: 1234058594-2863816727
                                            • Opcode ID: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                            • Instruction ID: 99f61b79627a72bc72382063b2a74599e56bb51525ce45dc1ba603623d7d34a7
                                            • Opcode Fuzzy Hash: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                            • Instruction Fuzzy Hash: 92217F61B08E4681EB20AB25E8653B92258AF48BB4F804135E55DC6BD7EE2CE50C8744
                                            Function 00007FF611797490 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00007FF611796D20: GetCurrentProcess.KERNEL32 ref: 00007FF611796D40
                                              • Part of subcall function 00007FF611796D20: OpenProcessToken.ADVAPI32 ref: 00007FF611796D53
                                              • Part of subcall function 00007FF611796D20: GetTokenInformation.KERNELBASE ref: 00007FF611796D78
                                              • Part of subcall function 00007FF611796D20: GetLastError.KERNEL32 ref: 00007FF611796D82
                                              • Part of subcall function 00007FF611796D20: GetTokenInformation.KERNELBASE ref: 00007FF611796DC2
                                              • Part of subcall function 00007FF611796D20: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF611796DDE
                                              • Part of subcall function 00007FF611796D20: CloseHandle.KERNEL32 ref: 00007FF611796DF6
                                            • LocalFree.KERNEL32(00000000,00007FF611792A89), ref: 00007FF61179751C
                                            • LocalFree.KERNEL32 ref: 00007FF611797525
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                            • API String ID: 6828938-1529539262
                                            • Opcode ID: 60c4fd39fcac6d8e283f4d7189cc44c35b978d9b95943a5d7ecd7241549dd8e4
                                            • Instruction ID: b7f04f10f9e51e35868b4b8b928ce5efcc98b1c620c67847ed1f68f1b9d7536a
                                            • Opcode Fuzzy Hash: 60c4fd39fcac6d8e283f4d7189cc44c35b978d9b95943a5d7ecd7241549dd8e4
                                            • Instruction Fuzzy Hash: D0212D21A08F8682EB50AB11E4253FA6269FF88BB0F544435EA4D83797DF3CE94DC740
                                            Function 00007FF6117ACBE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 787 7ff6117acbe0-7ff6117acc05 788 7ff6117aced3 787->788 789 7ff6117acc0b-7ff6117acc0e 787->789 792 7ff6117aced5-7ff6117acee5 788->792 790 7ff6117acc10-7ff6117acc42 call 7ff6117aa3d8 789->790 791 7ff6117acc47-7ff6117acc73 789->791 790->792 794 7ff6117acc7e-7ff6117acc84 791->794 795 7ff6117acc75-7ff6117acc7c 791->795 797 7ff6117acc94-7ff6117acca9 call 7ff6117b371c 794->797 798 7ff6117acc86-7ff6117acc8f call 7ff6117abf94 794->798 795->790 795->794 802 7ff6117accaf-7ff6117accb8 797->802 803 7ff6117acdc3-7ff6117acdcc 797->803 798->797 802->803 806 7ff6117accbe-7ff6117accc2 802->806 804 7ff6117ace20-7ff6117ace45 WriteFile 803->804 805 7ff6117acdce-7ff6117acdd4 803->805 809 7ff6117ace50 804->809 810 7ff6117ace47-7ff6117ace4d GetLastError 804->810 811 7ff6117acdd6-7ff6117acdd9 805->811 812 7ff6117ace0c-7ff6117ace1e call 7ff6117ac698 805->812 807 7ff6117accc4-7ff6117acccc call 7ff6117a4110 806->807 808 7ff6117accd3-7ff6117accde 806->808 807->808 814 7ff6117acce0-7ff6117acce9 808->814 815 7ff6117accef-7ff6117acd04 GetConsoleMode 808->815 817 7ff6117ace53 809->817 810->809 818 7ff6117acdf8-7ff6117ace0a call 7ff6117ac8b8 811->818 819 7ff6117acddb-7ff6117acdde 811->819 832 7ff6117acdb0-7ff6117acdb7 812->832 814->803 814->815 822 7ff6117acdbc 815->822 823 7ff6117acd0a-7ff6117acd10 815->823 825 7ff6117ace58 817->825 818->832 826 7ff6117ace64-7ff6117ace6e 819->826 827 7ff6117acde4-7ff6117acdf6 call 7ff6117ac79c 819->827 822->803 830 7ff6117acd99-7ff6117acdab call 7ff6117ac220 823->830 831 7ff6117acd16-7ff6117acd19 823->831 833 7ff6117ace5d 825->833 834 7ff6117ace70-7ff6117ace75 826->834 835 7ff6117acecc-7ff6117aced1 826->835 827->832 830->832 840 7ff6117acd24-7ff6117acd32 831->840 841 7ff6117acd1b-7ff6117acd1e 831->841 832->825 833->826 836 7ff6117acea3-7ff6117acead 834->836 837 7ff6117ace77-7ff6117ace7a 834->837 835->792 844 7ff6117aceaf-7ff6117aceb2 836->844 845 7ff6117aceb4-7ff6117acec3 836->845 842 7ff6117ace93-7ff6117ace9e call 7ff6117ab0c4 837->842 843 7ff6117ace7c-7ff6117ace8b 837->843 846 7ff6117acd90-7ff6117acd94 840->846 847 7ff6117acd34 840->847 841->833 841->840 842->836 843->842 844->788 844->845 845->835 846->817 849 7ff6117acd38-7ff6117acd4f call 7ff6117b37e8 847->849 853 7ff6117acd51-7ff6117acd5d 849->853 854 7ff6117acd87-7ff6117acd8d GetLastError 849->854 855 7ff6117acd5f-7ff6117acd71 call 7ff6117b37e8 853->855 856 7ff6117acd7c-7ff6117acd83 853->856 854->846 855->854 860 7ff6117acd73-7ff6117acd7a 855->860 856->846 858 7ff6117acd85 856->858 858->849 860->856
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6117ACBCB), ref: 00007FF6117ACCFC
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6117ACBCB), ref: 00007FF6117ACD87
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ConsoleErrorLastMode
                                            • String ID:
                                            • API String ID: 953036326-0
                                            • Opcode ID: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                            • Instruction ID: 4ddfd0f4f596ffa7f4a4312e86d01ef10fe70b89c54b84b57ee22b55731100b5
                                            • Opcode Fuzzy Hash: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                            • Instruction Fuzzy Hash: F691A672E0CE55A5F750CF65A4402BD2BA8BB44FA8F184139DE0E97BA6DF38D489C740
                                            Function 00007FF6117A5444 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1279662727-0
                                            • Opcode ID: 79491aa10e773e0c302c047c4418e2f379399a005a06daa6a5ce9d1c3ac76bcc
                                            • Instruction ID: e79d3c519e8dcae42a0a88f1af73160abda6149a9c0d7fac01341773e1fb7756
                                            • Opcode Fuzzy Hash: 79491aa10e773e0c302c047c4418e2f379399a005a06daa6a5ce9d1c3ac76bcc
                                            • Instruction Fuzzy Hash: 0841A422E18B4283E7509B20A5103796765FB95B74F149334EA9C83BE3DF6CE5E88700
                                            Function 00007FF61179E534 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 893 7ff61179e534-7ff61179e561 894 7ff61179e563-7ff61179e566 893->894 895 7ff61179e57d 893->895 894->895 896 7ff61179e568-7ff61179e56b 894->896 897 7ff61179e57f-7ff61179e593 895->897 898 7ff61179e594-7ff61179e597 896->898 899 7ff61179e56d-7ff61179e572 call 7ff6117ab108 896->899 901 7ff61179e5a7-7ff61179e5ab 898->901 902 7ff61179e599-7ff61179e5a5 898->902 911 7ff61179e578 call 7ff6117aa4a4 899->911 904 7ff61179e5bf-7ff61179e5c2 901->904 905 7ff61179e5ad-7ff61179e5b7 call 7ff6117ba5b0 901->905 902->901 903 7ff61179e5d2-7ff61179e5db 902->903 909 7ff61179e5e2 903->909 910 7ff61179e5dd-7ff61179e5e0 903->910 904->899 908 7ff61179e5c4-7ff61179e5d0 904->908 905->904 908->899 908->903 913 7ff61179e5e7-7ff61179e606 909->913 910->913 911->895 915 7ff61179e74d-7ff61179e750 913->915 916 7ff61179e60c-7ff61179e61a 913->916 915->897 917 7ff61179e692-7ff61179e697 916->917 918 7ff61179e61c-7ff61179e623 916->918 920 7ff61179e704-7ff61179e707 call 7ff6117abb20 917->920 921 7ff61179e699-7ff61179e6a5 917->921 918->917 919 7ff61179e625 918->919 923 7ff61179e778 919->923 924 7ff61179e62b-7ff61179e635 919->924 930 7ff61179e70c-7ff61179e70f 920->930 925 7ff61179e6b1-7ff61179e6b7 921->925 926 7ff61179e6a7-7ff61179e6ae 921->926 929 7ff61179e77d-7ff61179e788 923->929 927 7ff61179e755-7ff61179e759 924->927 931 7ff61179e63b-7ff61179e641 924->931 925->927 928 7ff61179e6bd-7ff61179e6da call 7ff6117aa004 call 7ff6117ab6d0 925->928 926->925 932 7ff61179e768-7ff61179e773 call 7ff6117ab108 927->932 933 7ff61179e75b-7ff61179e763 call 7ff6117ba5b0 927->933 952 7ff61179e6df-7ff61179e6e1 928->952 929->897 930->929 935 7ff61179e711-7ff61179e714 930->935 936 7ff61179e643-7ff61179e646 931->936 937 7ff61179e679-7ff61179e68d 931->937 932->911 933->932 935->927 943 7ff61179e716-7ff61179e72d 935->943 938 7ff61179e664-7ff61179e66f call 7ff6117ab108 call 7ff6117aa4a4 936->938 939 7ff61179e648-7ff61179e64e 936->939 944 7ff61179e734-7ff61179e73f 937->944 959 7ff61179e674 938->959 945 7ff61179e650-7ff61179e658 call 7ff6117b9f10 939->945 946 7ff61179e65a-7ff61179e65f call 7ff6117ba5b0 939->946 943->944 944->916 950 7ff61179e745 944->950 945->959 946->938 950->915 956 7ff61179e6e7 952->956 957 7ff61179e78d-7ff61179e792 952->957 956->923 960 7ff61179e6ed-7ff61179e702 956->960 957->929 959->937 960->944
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                            • Instruction ID: cf0534db0d2d4235c9d850d13458c1a17df7d40f00897a229592b51170b1f7ca
                                            • Opcode Fuzzy Hash: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                            • Instruction Fuzzy Hash: 1051F861B09A6A46FB289E25981067E6699BF44FB4F184B30DE6D837D7EF3CD40C8701
                                            Function 00007FF61179B09C Relevance: 3.1, APIs: 2, Instructions: 102COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 1236291503-0
                                            • Opcode ID: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                            • Instruction ID: 9c5bd651f714819030cd3746cbc398fb55f93c538708a1c532016b570965faa0
                                            • Opcode Fuzzy Hash: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                            • Instruction Fuzzy Hash: 03311A21A4DE0A82FB14AB65E4217B91399AF45FB4FD44035E90ECB7E7DE2DE40CC640
                                            Function 00007FF6117AC08C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                            • Instruction ID: eaf18b6ef6752fb9a8daa79c4d72f05f8da79ee893d578b4216f7ac94039a59f
                                            • Opcode Fuzzy Hash: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                            • Instruction Fuzzy Hash: 56319E62A18F46A1EB608B14E9901793658FB45FB0F680329DB6E973F1CF38F4A5D301
                                            Function 00007FF6117AA6E0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6117AA55D,?,?,00000000,00007FF6117AA612), ref: 00007FF6117AA74E
                                            • GetLastError.KERNEL32(?,?,?,00007FF6117AA55D,?,?,00000000,00007FF6117AA612), ref: 00007FF6117AA758
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ChangeCloseErrorFindLastNotification
                                            • String ID:
                                            • API String ID: 1687624791-0
                                            • Opcode ID: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                            • Instruction ID: 8d4179cf2cb72e7a2f3328137540083bee83b517fdf98b64bbaf4b06803da31e
                                            • Opcode Fuzzy Hash: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                            • Instruction Fuzzy Hash: FA215021F0CE4241EB90A761B4942BA5AA99F84FB0F084235DA2F877E3DE6CE4494301
                                            Function 00007FF6117ABDA8 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6117ABD94,?,?,?,00000000,?,00007FF6117ABE9D), ref: 00007FF6117ABDF4
                                            • GetLastError.KERNEL32(?,?,?,?,?,00007FF6117ABD94,?,?,?,00000000,?,00007FF6117ABE9D), ref: 00007FF6117ABDFE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID:
                                            • API String ID: 2976181284-0
                                            • Opcode ID: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                            • Instruction ID: ce1ba42b1efaed16f548e38d6514df8be39c88311f7c82063320164438bb8a2f
                                            • Opcode Fuzzy Hash: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                            • Instruction Fuzzy Hash: 3711C162A0CE8181DB208B25B84417A6369AB85FF4F584731EE7D8B7EADF3CD0598740
                                            Function 00007FF6117AA0E4 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                            • GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                            • String ID:
                                            • API String ID: 588628887-0
                                            • Opcode ID: 042bc8721a3345eaabeb78b0f294181831f5ba70ab5432ae3c86ec800ea28b45
                                            • Instruction ID: a40fbc9aed34037c43403ca69a92f383c623ace8934b37bfe7bfdea2f18d86fe
                                            • Opcode Fuzzy Hash: 042bc8721a3345eaabeb78b0f294181831f5ba70ab5432ae3c86ec800ea28b45
                                            • Instruction Fuzzy Hash: 1DE0EC50F0DE4692FF186BB2A84907916699F84FA0F488434DD0DC7363EE2CB89D4710
                                            Function 00007FF6117ABB20 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: bd077d8a5a7c03cd002072d8ca953402e38cbe5d3df466adb21d87e7869545d0
                                            • Instruction ID: 551640ba723c9955a3756ed534cddf90defe97d323014fbec012bece94605f18
                                            • Opcode Fuzzy Hash: bd077d8a5a7c03cd002072d8ca953402e38cbe5d3df466adb21d87e7869545d0
                                            • Instruction Fuzzy Hash: 2141E332908A0583EB349B18F55027977A8FB56FA0F180530DB9EC37A6CF2DE80AC751
                                            Function 00007FF611796870 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _fread_nolock
                                            • String ID:
                                            • API String ID: 840049012-0
                                            • Opcode ID: 0337682419dd94081f5fa2bf6feb66fa46997b08bace0989737290bef5dd9383
                                            • Instruction ID: 50de8ce28ea7a25f4f66d0f88a0f9beb8f4a337f0a5bc84d5efc4076128e9cb5
                                            • Opcode Fuzzy Hash: 0337682419dd94081f5fa2bf6feb66fa46997b08bace0989737290bef5dd9383
                                            • Instruction Fuzzy Hash: 9821D321B08A9645FB10AB2264143FA9659BF45FF4F8C4534EE0D8B787CE3DE14DC200
                                            Function 00007FF6117AB5B0 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                            • Instruction ID: b3900b049be304d7e73983d1e26625a8bc3bb34f5bb764071f5004406e4b57b9
                                            • Opcode Fuzzy Hash: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                            • Instruction Fuzzy Hash: 96318F22A1CE1686F7116B55E84137D2A58AF80FB0F590935E92D837E3CF7CE4498711
                                            Function 00007FF6117A5DB4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                            • Instruction ID: 2a3ba547fc51e3e1f1fd8d76f4a03ee77d2d6e96dd6e9863eb976c022d6ece05
                                            • Opcode Fuzzy Hash: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                            • Instruction Fuzzy Hash: 9A115121A1CA4281EB61AF11F44427DA668FF85FA0F5C4431EB8D97BA7DF3CE4858781
                                            Function 00007FF6117B643C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                            • Instruction ID: 11f1822871c6d9121e44dc8d1dac765c409d53ca6b795ab560f8f2c09dbcbd4e
                                            • Opcode Fuzzy Hash: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                            • Instruction Fuzzy Hash: F2216232A18E4186DB618F18E44037976A5EB84F64F188234EB5DC77DBDF3DD5088B04
                                            Function 00007FF61179E7B4 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                            • Instruction ID: 64405c6d7be915c4b88b4459c3ba5334495e84ec596a5c5bd31062f8729d68f9
                                            • Opcode Fuzzy Hash: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                            • Instruction Fuzzy Hash: B901C821A08F5641EB04DB52A900179A699BF85FF0F4C9A30EE6C97BD7DF3CE4098700
                                            Function 00007FF6117A7AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: e4f567e3a19c005c49da197f73f21ba5d7ee1f9e2fe88391b5d22af82dd2e2e8
                                            • Instruction ID: dad12d927fabce9085874565f08c2edc488ebac3402b5d5c1fe6a8110f22ef0d
                                            • Opcode Fuzzy Hash: e4f567e3a19c005c49da197f73f21ba5d7ee1f9e2fe88391b5d22af82dd2e2e8
                                            • Instruction Fuzzy Hash: 47012D20E0EE8380FF646B66B541179969CAF40FB0F5C4535EA2EC2BE7DE2EE5594200
                                            Function 00007FF6117B7CD4 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF6117AD444: RtlAllocateHeap.NTDLL(?,?,?,00007FF6117AD3AD,?,?,?,00007FF6117A105F), ref: 00007FF6117AD482
                                            • RtlReAllocateHeap.NTDLL(?,?,00000000,00007FF6117B323B,?,?,?,00007FF6117A9B57,?,?,?,00007FF6117A9A4D,?,?,?,00007FF6117A9E2E), ref: 00007FF6117B7D41
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: ae69f3f87eae71f9e6285b2100481e95f613aacc1c1392977414a10ce1b11ecd
                                            • Instruction ID: c278e860caa7ebcc7981e734615b7c3a57f68f24ace10205a8defb27e7e26d50
                                            • Opcode Fuzzy Hash: ae69f3f87eae71f9e6285b2100481e95f613aacc1c1392977414a10ce1b11ecd
                                            • Instruction Fuzzy Hash: 81011611A0CE4381FB646A61A911279918C5F84FF0F1C8A31DD2EC67D7EF2CE4884214
                                            Function 00007FF6117AEB84 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6117AAEAA,?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012), ref: 00007FF6117AEBD9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: c8b9bc297ccf02c34bc4185cf4e45d41bb4c7179ccb82eebce59f868c6ce7279
                                            • Instruction ID: 47f599cd80bf5395eb52578683ef39420a5b1112d1994f0bb0f838228518a1e4
                                            • Opcode Fuzzy Hash: c8b9bc297ccf02c34bc4185cf4e45d41bb4c7179ccb82eebce59f868c6ce7279
                                            • Instruction Fuzzy Hash: 29F04954B0DA1782FF685761A9096B922985F88FA0F4C4830D90FC63E3EE2CE4888220
                                            Function 00007FF6117AD444 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF6117AD3AD,?,?,?,00007FF6117A105F), ref: 00007FF6117AD482
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                            • Instruction ID: f2c236e4cb4a7a1e02ca02a66d2b25025ecc3268af9ef1a53c24b3f97d79a2bf
                                            • Opcode Fuzzy Hash: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                            • Instruction Fuzzy Hash: 28F0F850A0DA4786FF6466A2A8412BD11895F84FB1F4C4630ED2EC63E3EE2CF4884210
                                            Function 00007FF61179B27C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF61179B290
                                              • Part of subcall function 00007FF61179BCB8: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF61179BCC0
                                              • Part of subcall function 00007FF61179BCB8: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF61179BCC5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                            • String ID:
                                            • API String ID: 1208906642-0
                                            • Opcode ID: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                            • Instruction ID: e449bb762b5670a7a76f030b891cdd14183b7ae4e12a5d88fd0610cfa0fbc11f
                                            • Opcode Fuzzy Hash: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                            • Instruction Fuzzy Hash: 88E0B614D0DA5B40FF942661116AABC134C5F62F75FD004B9E40EE37C3AE0E605E2221
                                            Function 00007FF6117A7DEC Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: e8a23966574a6a3d2edb6134bf375df8a5be86d2f78f2125052a9c69a71dc0e7
                                            • Instruction ID: a5ed8a94fc05fe70912136eb373594466ef289037cfa54416e56b437f0b62a10
                                            • Opcode Fuzzy Hash: e8a23966574a6a3d2edb6134bf375df8a5be86d2f78f2125052a9c69a71dc0e7
                                            • Instruction Fuzzy Hash: 1CE0EC65E1CE0742FB153BA4A9821B956188F18B60F5C4430DA0AC63B3DE1EFC9D5621

                                            Non-executed Functions

                                            Function 00007FF6117942E0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117942F0
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF611794331
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF611794356
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF61179437B
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117943A3
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117943CB
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117943F3
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF61179441B
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF611794443
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressProc
                                            • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                            • API String ID: 190572456-2007157414
                                            • Opcode ID: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                            • Instruction ID: 63d46c036a9390ebb8baa1613cf441833a01d805c9912e762c3cec12c822645d
                                            • Opcode Fuzzy Hash: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                            • Instruction Fuzzy Hash: B9127EA4A0EF0B94FB558B14A9641B423BCAF49F74B949136C81EE2362FF7CB54CC254
                                            Function 00007FF6117B3EAC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                            • API String ID: 808467561-2761157908
                                            • Opcode ID: 250eb075c7eb48b10284d3accfb3e91cb15d64f7079c4daa12e19f76ef41a5d1
                                            • Instruction ID: f4bc77e27c32513a77e6f9f3d2afdb8821d510fe354f6b947cfcd6fe8c670f2c
                                            • Opcode Fuzzy Hash: 250eb075c7eb48b10284d3accfb3e91cb15d64f7079c4daa12e19f76ef41a5d1
                                            • Instruction Fuzzy Hash: 5CB2E472E18A828BE7248E64D4407FD37A9FB44B58F549135DA0B97B86DF38E908CB44
                                            Function 00007FF611796B80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                            • String ID: %s\*
                                            • API String ID: 1057558799-766152087
                                            • Opcode ID: b1bbed1cfb60f4f0fc8f81c34b93851b936e7686d1867c24e24cc6b5744ead1d
                                            • Instruction ID: c94e6090ebff7353e381660c0c1be7244eeeb050d5dee4451318aa54a428352b
                                            • Opcode Fuzzy Hash: b1bbed1cfb60f4f0fc8f81c34b93851b936e7686d1867c24e24cc6b5744ead1d
                                            • Instruction Fuzzy Hash: 41412D21A0CE8685EB209B25E4641B96268FB95FB4F504732F95DC3796EF2CE54DC600
                                            Function 00007FF61179911D Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                            • API String ID: 0-2665694366
                                            • Opcode ID: 26bba0e386051ca0755ea61f277e00a0bceac020678a7f97c30128c98cea2ffa
                                            • Instruction ID: 3d265de3a2b0115f052b77af0b0fe6acf63105ea669820cb21256ae443f762bc
                                            • Opcode Fuzzy Hash: 26bba0e386051ca0755ea61f277e00a0bceac020678a7f97c30128c98cea2ffa
                                            • Instruction Fuzzy Hash: BC52D772A14AAA8BE7548F14D468B7E3BADFB44760F054139E64A87781EF3CD94CCB40
                                            Function 00007FF61179B59C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                            • Instruction ID: 13ee962daea96be3ac84bc0a060770c9a3cfe21c7c16a8967b5d7300835f52e2
                                            • Opcode Fuzzy Hash: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                            • Instruction Fuzzy Hash: D5312F72608F858AEB609F60E8947F97368FB84B54F44403ADA4E87B95EF38D54CC714
                                            Function 00007FF6117B5B00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5B45
                                              • Part of subcall function 00007FF6117B5498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B54AC
                                              • Part of subcall function 00007FF6117AA0E4: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                              • Part of subcall function 00007FF6117AA0E4: GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                              • Part of subcall function 00007FF6117AA4C4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6117AA4A3,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AA4CD
                                              • Part of subcall function 00007FF6117AA4C4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6117AA4A3,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AA4F2
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5B34
                                              • Part of subcall function 00007FF6117B54F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B550C
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DAA
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DBB
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DCC
                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6117B600C), ref: 00007FF6117B5DF3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                            • String ID:
                                            • API String ID: 1458651798-0
                                            • Opcode ID: 87b467ba01405d4ab23210905a1548530960517e986d068784f96916153947de
                                            • Instruction ID: 96b3fcb23e76d20984a08f1c0ed25d08e94c780c8d78f7309438d2e8c3c06195
                                            • Opcode Fuzzy Hash: 87b467ba01405d4ab23210905a1548530960517e986d068784f96916153947de
                                            • Instruction Fuzzy Hash: 0DD1C222A18A4286EB20EF26D4811B96769FF84FA4F84C135EA4DC7797DF3CE4498744
                                            Function 00007FF6117AA1D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                            • Instruction ID: d0c644f1894186fa76ebd312468eef9b1ef65900a65407290f8400d494bee9d4
                                            • Opcode Fuzzy Hash: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                            • Instruction Fuzzy Hash: 81315336618F8585DB60DF25E8402AE73A8FB88B64F544135EA8D83B96DF3CD559CB00
                                            Function 00007FF6117B1674 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2227656907-0
                                            • Opcode ID: 58e3c91b6142067eeee0e522e8a8604c9ebd6759ac92f6b05f128d6b9fdf1f90
                                            • Instruction ID: 1013f18bdf25e4085c083f0e9f841273715b95ac290a8a87be7eb8085173843b
                                            • Opcode Fuzzy Hash: 58e3c91b6142067eeee0e522e8a8604c9ebd6759ac92f6b05f128d6b9fdf1f90
                                            • Instruction Fuzzy Hash: F3B1C522B18E9681EB619B21F5042B96399FB44FF4F448131EA5D87BD6EF3CE449C304
                                            Function 00007FF611791ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFormatLastMessage
                                            • String ID: %ls: %ls$<FormatMessageW failed.>
                                            • API String ID: 3479602957-1483686772
                                            • Opcode ID: ce471f065344242f80e8e4fce995234d15c7919f1d37abcf6bc16450676127a6
                                            • Instruction ID: 6f648042d55d8673d8ff9d4bc10f470366e9e4764e93b1f713b811e8d412e53c
                                            • Opcode Fuzzy Hash: ce471f065344242f80e8e4fce995234d15c7919f1d37abcf6bc16450676127a6
                                            • Instruction Fuzzy Hash: 8C11A072B08F4185F7209B12B8047AA6758BB88BE4F084135EE8E877AADF3CD54D8740
                                            Function 00007FF6117B5D7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DAA
                                              • Part of subcall function 00007FF6117B54F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B550C
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DBB
                                              • Part of subcall function 00007FF6117B5498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B54AC
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DCC
                                              • Part of subcall function 00007FF6117B54C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B54DC
                                              • Part of subcall function 00007FF6117AA0E4: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                              • Part of subcall function 00007FF6117AA0E4: GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6117B600C), ref: 00007FF6117B5DF3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                            • String ID:
                                            • API String ID: 2248164782-0
                                            • Opcode ID: 42261dce043aad9768269ac913bc210d84eadb49ae327d87659dcf3f3c6d79c5
                                            • Instruction ID: 14ab1797b742127b6f3aa5ee938c223a76f2cdb3d8b597db74b2c376f5efee69
                                            • Opcode Fuzzy Hash: 42261dce043aad9768269ac913bc210d84eadb49ae327d87659dcf3f3c6d79c5
                                            • Instruction Fuzzy Hash: 38518F72A18E4286E720EF21E8815B96768FF48FA4F448135EA4DC7B97DF3CE4488744
                                            Function 00007FF61179B480 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                            • Instruction ID: 653fd4473a795520ee82f489d9f13e508afcb16ca0560e8f8ea06b23ab907c79
                                            • Opcode Fuzzy Hash: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                            • Instruction Fuzzy Hash: F5112E22B14F068AEB10CF60E8542B833A8FB59B68F440E31DE6D877A5DF7CD1988340
                                            Function 00007FF6117B3A10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memcpy_s
                                            • String ID:
                                            • API String ID: 1502251526-0
                                            • Opcode ID: 57a8bb62846f71c15516153ffb7b4828fa003a6834a4406426bc392e6d140f03
                                            • Instruction ID: a7c82c1f5c80e902161a7bb1cd63d4eb42b8968826486382b9927b9b589809b6
                                            • Opcode Fuzzy Hash: 57a8bb62846f71c15516153ffb7b4828fa003a6834a4406426bc392e6d140f03
                                            • Instruction Fuzzy Hash: 13C10572B1CA8587E724CF1AA04866AB795F788B94F40C235DF4A83785DF3CE885CB44
                                            Function 00007FF6117988EB Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $header crc mismatch$unknown header flags set
                                            • API String ID: 0-1127688429
                                            • Opcode ID: 1d902e8f901c38a96aeb86b43eb5ceac74d2cfcee7f470a0dea70dadb94eeeae
                                            • Instruction ID: 6037488c1f7d494e81f306d0e79c2a1a7982f16823f395fea2ba2129c6d9c6d9
                                            • Opcode Fuzzy Hash: 1d902e8f901c38a96aeb86b43eb5ceac74d2cfcee7f470a0dea70dadb94eeeae
                                            • Instruction Fuzzy Hash: 26F19572618BDD8BE7A58B14C098A3A7AADFF45B70F094538DA4987392CF38D94CC740
                                            Function 00007FF6117B9808 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionRaise_clrfp
                                            • String ID:
                                            • API String ID: 15204871-0
                                            • Opcode ID: f2e3f23937f2a68c93e747974962f69d529cdec0ec74e941ed306e0113d88ba4
                                            • Instruction ID: a15b01f06ea3bc33ecf6cd0ced4956ff0f30ff787a34e65c43b78bca254a29d6
                                            • Opcode Fuzzy Hash: f2e3f23937f2a68c93e747974962f69d529cdec0ec74e941ed306e0113d88ba4
                                            • Instruction Fuzzy Hash: FDB18BB3A04B858BEB55CF29C8863683BA4F780F58F14C821DAAD837A9DF39D455C704
                                            Function 00007FF6117A32F0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $
                                            • API String ID: 0-227171996
                                            • Opcode ID: a7bf39730b2c182d9b52e27ba2ba57ef23e99f5aa1b821fca8ab5d1831919a4a
                                            • Instruction ID: 516e1ed526ded5265d7d56da114354738e534cb50df037eb123c15f853efeddf
                                            • Opcode Fuzzy Hash: a7bf39730b2c182d9b52e27ba2ba57ef23e99f5aa1b821fca8ab5d1831919a4a
                                            • Instruction Fuzzy Hash: 72E1C876A0CE4286EB688E25A05013D37A8FF45FA8F2C5135DA4E877B6DF6DD849C700
                                            Function 00007FF61179874B Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: incorrect header check$invalid window size
                                            • API String ID: 0-900081337
                                            • Opcode ID: bc24f6c5e24477ccd4c15fe8def47b66156c7834ca1ef16c1479b41b30bebea5
                                            • Instruction ID: 6cf264ef709ec7e9639982bdb7cca9f6abd6315e5d3adb87ee2ef22fe6400112
                                            • Opcode Fuzzy Hash: bc24f6c5e24477ccd4c15fe8def47b66156c7834ca1ef16c1479b41b30bebea5
                                            • Instruction Fuzzy Hash: DF91C972A18ACE87F7A58B14C498B7E3A9DFB44770F114139DA4986791DF38E54CCB00
                                            Function 00007FF6117ADD38 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: e+000$gfff
                                            • API String ID: 0-3030954782
                                            • Opcode ID: bfe0f1466ff7f7ecb7ec295dd737c4642cfb5e3859abd1c999ff2cb22516b14b
                                            • Instruction ID: a251e7944c9d0a03ec034289377e7b07dabf2cdc08af0edc1c6208733bd6a9da
                                            • Opcode Fuzzy Hash: bfe0f1466ff7f7ecb7ec295dd737c4642cfb5e3859abd1c999ff2cb22516b14b
                                            • Instruction Fuzzy Hash: 18516A62B1CAC586E7248E35E84076D6B95E758FA0F4CC231CB6887BE6CF7DD4498700
                                            Function 00007FF6117AD8A4 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: gfffffff
                                            • API String ID: 0-1523873471
                                            • Opcode ID: cf4a6b258e0559303b3c475f79c1c5a3bd9e8d2fcac4499dc9c5272fbf1ab9c6
                                            • Instruction ID: 4d97c3aa463ab1e6d4f4bf52cf9cdfbc9ad0d7c5a9a95c7995a8f17197dbd715
                                            • Opcode Fuzzy Hash: cf4a6b258e0559303b3c475f79c1c5a3bd9e8d2fcac4499dc9c5272fbf1ab9c6
                                            • Instruction Fuzzy Hash: 9DA13763A0CBC587EB21CB25E0507AD7799EB55FA4F088032DA4D877A6DE3DD909C701
                                            Function 00007FF6117A8350 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: TMP
                                            • API String ID: 3215553584-3125297090
                                            • Opcode ID: 3d06e942db0d0aa61c0853d5b86f42f8db5e9f4413fd96033572d36b82d3baf6
                                            • Instruction ID: 7b5f4f38a685d642f9d2c43db2dcf1ec560aff89312618d06e4f88fd746934a6
                                            • Opcode Fuzzy Hash: 3d06e942db0d0aa61c0853d5b86f42f8db5e9f4413fd96033572d36b82d3baf6
                                            • Instruction Fuzzy Hash: C851B211B08E4281FB64AB27B5111BA52996F44FE5F5C8439DE0EC77F7EE3DE44A4204
                                            Function 00007FF6117B3280 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: HeapProcess
                                            • String ID:
                                            • API String ID: 54951025-0
                                            • Opcode ID: d9331582f5f8571c5bc5c8c2dd552919138c8d336df64ce569163af01c0c82c8
                                            • Instruction ID: 7dae531039b3819ecd934bcf43d2252d13ec7f518ae7423792c454391340ad8e
                                            • Opcode Fuzzy Hash: d9331582f5f8571c5bc5c8c2dd552919138c8d336df64ce569163af01c0c82c8
                                            • Instruction Fuzzy Hash: 7CB09B10E07E45C6DB4417115C8112413687F44B10F944034D40C82321DE2C20AD4700
                                            Function 00007FF6117A2E2C Relevance: .4, Instructions: 374COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d646e120a13ed5259010d3bfa98d53ebc97bb5ffc6c5d812d83f09c7f86f498
                                            • Instruction ID: 22ff12066d0745e804d4aa61235fd9bd17c31e2f6abb83d977f8c63ddb8db56d
                                            • Opcode Fuzzy Hash: 9d646e120a13ed5259010d3bfa98d53ebc97bb5ffc6c5d812d83f09c7f86f498
                                            • Instruction Fuzzy Hash: 1DE1C222A0CE4286EB689E25E14413A67A9FF45F68F1C8135DE0D873F6CF79E849C341
                                            Function 00007FF6117A25F0 Relevance: .4, Instructions: 351COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ad14dd61e253505c5706a66540999842a22657e44419e18468984a2d200ceed
                                            • Instruction ID: 1956d3ca667a508a5fafacf39ed5418425a511adc19c8da1e95836dd259a9503
                                            • Opcode Fuzzy Hash: 4ad14dd61e253505c5706a66540999842a22657e44419e18468984a2d200ceed
                                            • Instruction Fuzzy Hash: 9FE1D232A08E2286E7648A28E15437C27A9EB45F64F1C8235DE4D977F6CF3DE949C740
                                            Function 00007FF6117A2A28 Relevance: .3, Instructions: 327COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0008bd1e1cf4034a66eb42e07a3a65e84d8b36ac551103fbdda68f9474da116d
                                            • Instruction ID: c673f9b55d2e1c99f63c53e25b42c59b08f965b1eae5e330c2ef2abb6007722c
                                            • Opcode Fuzzy Hash: 0008bd1e1cf4034a66eb42e07a3a65e84d8b36ac551103fbdda68f9474da116d
                                            • Instruction Fuzzy Hash: AAD1B922A08E6286EB688F29A55027D27A8EB05F68F1C4135CE0D877F7DF3DD949C740
                                            Function 00007FF611797C70 Relevance: .3, Instructions: 287COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ac8ee90bb6b617b5b319db632e98c0af2178e83a843fb21159c5a1526b6f998
                                            • Instruction ID: 3d88f7295ef8bf6d3d834596f2c0d1585e5a87979f22d0e666ec2555d12a5118
                                            • Opcode Fuzzy Hash: 3ac8ee90bb6b617b5b319db632e98c0af2178e83a843fb21159c5a1526b6f998
                                            • Instruction Fuzzy Hash: ECC1A4722181E08BD389EB29E46947A73E1F78935DBD4402BEB87477C6DA3CE518DB10
                                            Function 00007FF6117A12C0 Relevance: .2, Instructions: 250COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e5cfbf483404f57ee8a12ea4d14ed350c4223dc86507dd0048c0f0f8d20af82
                                            • Instruction ID: 1d3ccba0fd782ae832b57ecbf0793cfdf25985379381a049499f442ff79866c6
                                            • Opcode Fuzzy Hash: 3e5cfbf483404f57ee8a12ea4d14ed350c4223dc86507dd0048c0f0f8d20af82
                                            • Instruction Fuzzy Hash: 42B18F72A08B5185F7648F29F05027D3BA8EB45FA8F2C4135CA8E877A6CF39D448C751
                                            Function 00007FF6117A1658 Relevance: .2, Instructions: 241COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d13b51d7cebc5a28311f111b9e128a6e63b06b12873bb9f0d627f9558e9a6c03
                                            • Instruction ID: 25061ff6fb653aaffec8613168a2f807a4f35f95b62735d94c669840b62316c6
                                            • Opcode Fuzzy Hash: d13b51d7cebc5a28311f111b9e128a6e63b06b12873bb9f0d627f9558e9a6c03
                                            • Instruction Fuzzy Hash: B4B16B76A08B8589F7658F29F05027D3BA9E749FA8F291135CA4E873A6CF39D449C700
                                            Function 00007FF6117AE3B8 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0bd77ba3b70669da09b487a0ea8a9d1258efaa5b8366dc8ff5dd73dfcf56369
                                            • Instruction ID: 62d9a8f9e07a63c44fe9de59670893480466dfdc8145dd0d6e9f2cc9adb05f7d
                                            • Opcode Fuzzy Hash: c0bd77ba3b70669da09b487a0ea8a9d1258efaa5b8366dc8ff5dd73dfcf56369
                                            • Instruction Fuzzy Hash: 7F811A72A0CB9186E774CB19B4403797699FB45BE4F184635EA9D83BA6DF3DE4088B00
                                            Function 00007FF6117B6500 Relevance: .2, Instructions: 183COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: dafa21fd323fba1ffdb82202de70c6ebe6d7ee83da844ca0b8fe7320dd75a47a
                                            • Instruction ID: 98c97c8e8cd6fd954afc6485e2fe57390324d959a218d7381a797cafdf2242e0
                                            • Opcode Fuzzy Hash: dafa21fd323fba1ffdb82202de70c6ebe6d7ee83da844ca0b8fe7320dd75a47a
                                            • Instruction Fuzzy Hash: AE61E932E1CA9246F7648A2894542796699EF40F74F148639FB2DC37D7EF7DE8088704
                                            Function 00007FF6117A01CC Relevance: .1, Instructions: 146COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                            • Instruction ID: e60faf93201642307cd5b13f3006d996a3a8786995bedfa23cf20b02590b31f7
                                            • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                            • Instruction Fuzzy Hash: 2A51A236A18F5186E7658B29E05022D33A8EB48F78F284535CE4D977E6CF3AE847C740
                                            Function 00007FF61179FDBC Relevance: .1, Instructions: 146COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                            • Instruction ID: 26c2daf1aed1ca40b49c27f586f5f0cd0980470df67e67c6a5f839e97709b752
                                            • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                            • Instruction Fuzzy Hash: 0F51FA36A18E5985E7248B29C0642383BA5EB49F78F244131DE4C877D6CF3AE85BC781
                                            Function 00007FF6117A05DC Relevance: .1, Instructions: 146COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                            • Instruction ID: 1ef28c2924d727130828aefaf2454ad56233d40c54ed6da3943a5da1310db83d
                                            • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                            • Instruction Fuzzy Hash: 59519836A18E5186E7658B29E05423837A4EB84F7CF384531CE4D977A6CF3AE857CB40
                                            Function 00007FF61179FBB8 Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b300af1d1946d5df55db44b3d4e0876ae34829a82d49cb6751e26c04e9c1898
                                            • Instruction ID: 1fea7aa34b634c9ddfa62d2e1aac681cd366037c65b839fbfff25c2ec1081506
                                            • Opcode Fuzzy Hash: 3b300af1d1946d5df55db44b3d4e0876ae34829a82d49cb6751e26c04e9c1898
                                            • Instruction Fuzzy Hash: A251A976618E9986E7248F29C0642383BA4EB45F7CF248131CE4C87796CF3AE84BC741
                                            Function 00007FF6117A03D8 Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7710b6301a9c53c0f35ccf6fc131232db227f89fb6367f1206a3fe51f4b04988
                                            • Instruction ID: a2d558ccc622c873b157cef2506d55b6f2e5add190d672c9e3a86bec4de21781
                                            • Opcode Fuzzy Hash: 7710b6301a9c53c0f35ccf6fc131232db227f89fb6367f1206a3fe51f4b04988
                                            • Instruction Fuzzy Hash: 2751D436A18E5182E7268B28E04063933A4FB45F68F2C4531CE4C877A6DF3AEC46C740
                                            Function 00007FF61179FFC8 Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c9c7dfd85d7e05c9dc9b7e40d932aad9843605f203f1a6a08d3cc10701c718b
                                            • Instruction ID: 232252359ce13f20e16d2bbc89af991fa91fed4637e21f1951bf6fb32c23fe46
                                            • Opcode Fuzzy Hash: 7c9c7dfd85d7e05c9dc9b7e40d932aad9843605f203f1a6a08d3cc10701c718b
                                            • Instruction Fuzzy Hash: E7519436A18E5186E7268B29E04027E37A4EB45F68F284531CE4C977B6DF3AEC56C740
                                            Function 00007FF6117A5B50 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                            • Instruction ID: 505a10b26b337adb51fa1b76d7798a076486fdae909cd5f2b85fa944d68b8adc
                                            • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                            • Instruction Fuzzy Hash: 7841A452C0EE4B45EB958A1C65146B86688AF22FB1D5C53B4DD9AD33FBCF0CE59EC200
                                            Function 00007FF6117A9AA0 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                            • String ID:
                                            • API String ID: 588628887-0
                                            • Opcode ID: 6e7531a28f25f8c3b2f3f11a6ce53f43a5e2fd9c2c8f795175ae5b8f39881432
                                            • Instruction ID: 080f5b4e4e45cd11481821fceb4a6f9db16582cdd2b0c61dd6823849b1308891
                                            • Opcode Fuzzy Hash: 6e7531a28f25f8c3b2f3f11a6ce53f43a5e2fd9c2c8f795175ae5b8f39881432
                                            • Instruction Fuzzy Hash: 4E41F672714E5982EF08CF2AE914269B7A5FB48FE0B599432DE0DD7B65EE3DD0468300
                                            Function 00007FF6117A7C98 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ffe2b1512876485b96f15a7d205017ce7124e6f508d4ce282eb270f639ebb01
                                            • Instruction ID: eeafadb00078808359002ff46c2c3d27e15e67250e03f1d33ac53b4ee30a741c
                                            • Opcode Fuzzy Hash: 7ffe2b1512876485b96f15a7d205017ce7124e6f508d4ce282eb270f639ebb01
                                            • Instruction Fuzzy Hash: B231A632708F8246E764DB25B440179AA99AF84FB0F184239EA4E93BE7DF3CD0068704
                                            Function 00007FF6117B9650 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1a3e8b8eb2fdd931f1516922c3244619dcb6b035101358effb1656bca6f43a26
                                            • Instruction ID: 2ac39f343489f5badee7723ada5f06542c4274d8ab73f64bf2774490da35fe31
                                            • Opcode Fuzzy Hash: 1a3e8b8eb2fdd931f1516922c3244619dcb6b035101358effb1656bca6f43a26
                                            • Instruction Fuzzy Hash: 35F062B1B186998FDBA48F2DA80262977E4F708794F80C039E68DC3B04DE7CD0648F04
                                            Function 00007FF61179B740 Relevance: .0, Instructions: 2COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb9692487d370ccea59ad9cd58ed74ab11ad4c12b0f1d728c45def5553f39193
                                            • Instruction ID: 7c2a19cb48b8beb10be777409d07d314f62ac886271a38f684dc2e66ac09441b
                                            • Opcode Fuzzy Hash: bb9692487d370ccea59ad9cd58ed74ab11ad4c12b0f1d728c45def5553f39193
                                            • Instruction Fuzzy Hash: 11A00121908C0EE4E7548B00A8A84346328FB51B20B844132D40D822A29F6CA4088205
                                            Function 00007FF6117960C0 Relevance: 112.3, APIs: 31, Strings: 33, Instructions: 264libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressProc
                                            • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                            • API String ID: 190572456-573889970
                                            • Opcode ID: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                            • Instruction ID: ef83a7a9df9277bf848e9797325a20d6b16bf8017ba23708cbcf4c50fdc99d59
                                            • Opcode Fuzzy Hash: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                            • Instruction Fuzzy Hash: 29E1666490DF4B90FB59CB04E8A02B823BDAF08FB4B949535D85E92366EF3CB55DC205
                                            Function 00007FF6117969A0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF611797800: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6117931D4,00000000,00007FF611791905), ref: 00007FF611797839
                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF611796EC7,?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF6117969FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ByteCharEnvironmentExpandMultiStringsWide
                                            • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                            • API String ID: 2001182103-930877121
                                            • Opcode ID: 64d99159d200a5e4cd4d4a8101930630fc8e86c1a9a6e01072d2e1df627dda6d
                                            • Instruction ID: 1ce725cff1fad624faba917a0ad8f9880a268b104774f8461cab8ac7fc7d5f65
                                            • Opcode Fuzzy Hash: 64d99159d200a5e4cd4d4a8101930630fc8e86c1a9a6e01072d2e1df627dda6d
                                            • Instruction Fuzzy Hash: 27417321A1DE4681FB609B25E8616FA6269EF84FB0F544435EA0EC3797EF2CE50CC744
                                            Function 00007FF6117A60B0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: -$:$f$p$p
                                            • API String ID: 3215553584-2013873522
                                            • Opcode ID: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                            • Instruction ID: 3cbb5c7aefff4a732fa15f41331928e2e9116459189ff57c048e0a50fe841adc
                                            • Opcode Fuzzy Hash: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                            • Instruction Fuzzy Hash: 9712B465E0DA4386FB205A14F0542B9769AFBC0F60F9C4035F78986BE6DF3CE5988B11
                                            Function 00007FF61179F440 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: f$f$p$p$f
                                            • API String ID: 3215553584-1325933183
                                            • Opcode ID: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                            • Instruction ID: 3d9b22b20fd4b574aca6418d5f58430801db014505d8b8739ff2b2e5963d5d89
                                            • Opcode Fuzzy Hash: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                            • Instruction Fuzzy Hash: E9127561E0C94B86FB646E14E0646B97A99FB40F74FD84035D689C67C6DF3CE98C8B02
                                            Function 00007FF611791030 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                            • API String ID: 2050909247-3659356012
                                            • Opcode ID: 8e7d01456d918227b8fdd7c181cfbc069a1c11707bb45bf34f29a0f1afa9f142
                                            • Instruction ID: 78e9261896dd91264a73854f53125dafe7c60b60c07727885db5de1455a31c88
                                            • Opcode Fuzzy Hash: 8e7d01456d918227b8fdd7c181cfbc069a1c11707bb45bf34f29a0f1afa9f142
                                            • Instruction Fuzzy Hash: 6041A461B48E4A56EB249B16B8602B6A3A8FF44FF4F488035DD5D87B97DE3CE05D8340
                                            Function 00007FF611791420 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                            • API String ID: 2050909247-3659356012
                                            • Opcode ID: f5b12a964cb1d8ecb39ad775377583051b194b496b062b2f0314ea648687955a
                                            • Instruction ID: 0f3fcea1bba6350c25b1c0ca00733b7c3322455e2f2afd6706d0bbf516ef032c
                                            • Opcode Fuzzy Hash: f5b12a964cb1d8ecb39ad775377583051b194b496b062b2f0314ea648687955a
                                            • Instruction Fuzzy Hash: 94419421B08E4685EF249B15B4601B663A8EF44FF4F588036DE5E87B97EE3CE55D8700
                                            Function 00007FF61179CE38 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                            • Instruction ID: fbfe0419c8a381bdd76c25523d84ca156a045736c958e6b042f80f1603c0007f
                                            • Opcode Fuzzy Hash: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                            • Instruction Fuzzy Hash: BFD17E73A08B4986EB209B65D4503AD77A8FB55BB8F100135EE4D97B9ADF38E48DC700
                                            Function 00007FF6117AEBFC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6117AEF96,?,?,000001E0EC517F48,00007FF6117AA8DB,?,?,?,00007FF6117AA7D2,?,?,?,00007FF6117A5D5E), ref: 00007FF6117AED78
                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6117AEF96,?,?,000001E0EC517F48,00007FF6117AA8DB,?,?,?,00007FF6117AA7D2,?,?,?,00007FF6117A5D5E), ref: 00007FF6117AED84
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressFreeLibraryProc
                                            • String ID: api-ms-$ext-ms-
                                            • API String ID: 3013587201-537541572
                                            • Opcode ID: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                            • Instruction ID: 91474470568cd5638759b2286e7ead47e50186b39b04f5be9b68a997d7361353
                                            • Opcode Fuzzy Hash: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                            • Instruction Fuzzy Hash: 2441B022B19E2246EB268B1AB8106752399BF45FB0F1C4935DD1DC77A6EF3CE44D8344
                                            Function 00007FF61179C0F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C17D
                                            • GetLastError.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C18B
                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C1B5
                                            • FreeLibrary.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C223
                                            • GetProcAddress.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C22F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                            • Instruction ID: 3006a8b14290813e606776d3885f15ef22aed366e950815050c41345ab29b7e3
                                            • Opcode Fuzzy Hash: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                            • Instruction Fuzzy Hash: B031C4A1B1AE0A81EF119B46A82067522ACBF09FB0F594535DD2DC7342EF3CE44C8304
                                            Function 00007FF6117AACD0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value$ErrorLast
                                            • String ID:
                                            • API String ID: 2506987500-0
                                            • Opcode ID: 20598b444aa19950f9e3a24d6542d37821179bf0b7735e9582ff1bdd450d9861
                                            • Instruction ID: 3bcec154fce652324c8f7eacfcd2a92fc4829508883db53259a7c345ab0b1eb5
                                            • Opcode Fuzzy Hash: 20598b444aa19950f9e3a24d6542d37821179bf0b7735e9582ff1bdd450d9861
                                            • Instruction Fuzzy Hash: 12218E20A0CE9642FB6873217651179125D8F54FB1F184A35E97EC77EBDE2CF4884740
                                            Function 00007FF6117B7DCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                            • Instruction ID: 25b219464e5f5f692938f68b929ee57625f65ae5bec54e8a265d5924e5adc112
                                            • Opcode Fuzzy Hash: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                            • Instruction Fuzzy Hash: 74114C21B18E4686E7608B52A844329A6A8FB88FF4F048634EE5DC7795DF7CD8488748
                                            Function 00007FF6117AAE48 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAE57
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAE8D
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAEBA
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAECB
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAEDC
                                            • SetLastError.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAEF7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value$ErrorLast
                                            • String ID:
                                            • API String ID: 2506987500-0
                                            • Opcode ID: ff1ba21d5dd7118f37032d72c4e44a86ffccc8857cecdb3a59aaebd628934560
                                            • Instruction ID: 2a61e0e78f42e85f6d840189adcf355e146b203bb6b7cee2ca21609bb6b4c9e0
                                            • Opcode Fuzzy Hash: ff1ba21d5dd7118f37032d72c4e44a86ffccc8857cecdb3a59aaebd628934560
                                            • Instruction Fuzzy Hash: 2A115E20A0CE9386FB64A7217652179528D9F98FB0F184A34EA3EC77E7DE2DE4494300
                                            Function 00007FF6117A9640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                            • Instruction ID: cb1a9326ebf2d23a89fe5d85a98fde3f1f6e39f9c544c941879497e7372f368e
                                            • Opcode Fuzzy Hash: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                            • Instruction Fuzzy Hash: C6F06D25A09E0685EB248B24E8443796368FF89FB1F584636DA6EC63F5EF2CD04DC704
                                            Function 00007FF6117B9450 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _set_statfp
                                            • String ID:
                                            • API String ID: 1156100317-0
                                            • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                            • Instruction ID: dba230ddca21015c900b2957e84065537ecf035859803f22bece59ab0e606896
                                            • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                            • Instruction Fuzzy Hash: F41191E6E1CE0305F7941168E44637B10486F94BB4F488634E97EC63D7FF2CA948410C
                                            Function 00007FF6117AAF10 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF2F
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF4E
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF76
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF87
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF98
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: fa8ae0125f311df56d1c35719f3698488d15d88a6136944c499e699c9ddfe2eb
                                            • Instruction ID: 583de37c3a94eb728e4dc056f91ae1ba1127fcf17bf3f3b9e2c538b7d3ae6d0e
                                            • Opcode Fuzzy Hash: fa8ae0125f311df56d1c35719f3698488d15d88a6136944c499e699c9ddfe2eb
                                            • Instruction Fuzzy Hash: EE116A60B0CA9246FB58A326B651179629D9F94BB0F0C4A35E93EC67F7DE2CE5498300
                                            Function 00007FF6117AADA4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: a465f1f96b0fb757b607010a708405768306e2fbcbc0801b4c140f52a106d091
                                            • Instruction ID: 78cfdb697633f3d7c6f4c59363e699266cc1d17dbd6fa986420638569b40e786
                                            • Opcode Fuzzy Hash: a465f1f96b0fb757b607010a708405768306e2fbcbc0801b4c140f52a106d091
                                            • Instruction Fuzzy Hash: 0E111C20A0D99742FBA8B2316412179114E4F58F30F1C0B34DA3ECA3E3DD2DF5494351
                                            Function 00007FF6117A5DC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: verbose
                                            • API String ID: 3215553584-579935070
                                            • Opcode ID: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                            • Instruction ID: 5f55a9273b2b2ed18e58bace7396fafa9c60418f11f6172272f71a967701ace1
                                            • Opcode Fuzzy Hash: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                            • Instruction Fuzzy Hash: B3919F32A08E4681F7619E25E45077E37ADAB44FA4F4C8136EA5AC73E6DF3DE4498301
                                            Function 00007FF6117AFAC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                            • API String ID: 3215553584-1196891531
                                            • Opcode ID: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                            • Instruction ID: ea87d8ab0ee6d0517786d7086448a4550feee81431450d7fffff2be46404429d
                                            • Opcode Fuzzy Hash: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                            • Instruction Fuzzy Hash: EA81C172E0CA0385F7658F2AA15027C26A8AB10F64F5D8031DE4AD77E7DF2DE9499343
                                            Function 00007FF61179BA78 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                            • Instruction ID: bddc54467b4aa965f7cb4e303e0fcd5145737d5b1d00615e9b6d298c8d7ede87
                                            • Opcode Fuzzy Hash: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                            • Instruction Fuzzy Hash: 2751AF32A19E4A8ADB24CF15D464E393799EB44FB8F908131DA4D8778ADF7DE849C700
                                            Function 00007FF61179D308 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                            • Instruction ID: b45cc752f176ba943385e09f391bfeeffde5ce2600cc850fdca4609bc3e73dbd
                                            • Opcode Fuzzy Hash: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                            • Instruction Fuzzy Hash: 29619332908FC981EB609B15E4503AEB7A4FB84BA8F544225EF9C47756DF7CE198CB00
                                            Function 00007FF61179D6B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                            • Instruction ID: 74fc7937e63b1e2a51c66fef471e9dd20de504155d18da64f15f59c47cebff25
                                            • Opcode Fuzzy Hash: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                            • Instruction Fuzzy Hash: E5517F32908B8A86EB649F21D16466C77A8EB55FB4F144135DA8C87B87CF3CE45D8701
                                            Function 00007FF611796700 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNEL32(00000000,?,00007FF61179240C,?,?,00007FF611792BD3), ref: 00007FF611796812
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CreateDirectory
                                            • String ID: %.*s$%s%c$\
                                            • API String ID: 4241100979-1685191245
                                            • Opcode ID: 3bc923c488289a14523a6baf9d9f11372388867e082ec78953b2be25e99915c4
                                            • Instruction ID: 4d9d2045692d8bcfe043c43dd09c344802413e95af00abbe8a0dbcc2da137507
                                            • Opcode Fuzzy Hash: 3bc923c488289a14523a6baf9d9f11372388867e082ec78953b2be25e99915c4
                                            • Instruction Fuzzy Hash: 2F313261A19EC945EB219B21A460BAA625DEB48FF0F444231EA6D877C6EE2CD64DC700
                                            Function 00007FF6117AC220 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                            • Instruction ID: 73314b66c3180893bc0000a97116e1a8d181f279b31c4593561f92fae21e22ea
                                            • Opcode Fuzzy Hash: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                            • Instruction Fuzzy Hash: 4CD1E672B08E4199E711CF75E5402AC37B9FB44FA8B184235DE5D97B9ADE38E41AC300
                                            Function 00007FF6117AF88C Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight$_isindst
                                            • String ID:
                                            • API String ID: 4170891091-0
                                            • Opcode ID: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                            • Instruction ID: acf96e78ac89aaa758ed90aa082ec795f4bb6c66ffefb05db2cca2ac8bf428e3
                                            • Opcode Fuzzy Hash: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                            • Instruction Fuzzy Hash: E0514832F04A128AEB14CF64A9916BC67A9AB01B78F140235DD1DD2BF6DF38E50AC701
                                            Function 00007FF6117A5598 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                            • String ID:
                                            • API String ID: 2780335769-0
                                            • Opcode ID: ef755d5346959fbddc4573098100f0e197fecc80316e8c20252f2b5a31e3b312
                                            • Instruction ID: 1dac7ce16f650c579362d327e0d79dd1671c8e1e9081494bcd7d644abac84a28
                                            • Opcode Fuzzy Hash: ef755d5346959fbddc4573098100f0e197fecc80316e8c20252f2b5a31e3b312
                                            • Instruction Fuzzy Hash: 86517022E18A418AFB10DF71E4503BD37A9BB48F68F198535DE099B7AADF38D4498740
                                            Function 00007FF611797440 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Window$Process$ConsoleCurrentShowThread
                                            • String ID:
                                            • API String ID: 242035731-0
                                            • Opcode ID: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                            • Instruction ID: 280bccdfc4e1be2445242e5e28c957b1b6b2d95b8c4d48d8596e3e92498abf00
                                            • Opcode Fuzzy Hash: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                            • Instruction Fuzzy Hash: 49F03021A19E4EC2EF645B66A85403967A9FF88FB0B085030DD4E83366DF3CE04D8A04
                                            Function 00007FF6117975B0 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Window$Process$ConsoleCurrentShowThread
                                            • String ID:
                                            • API String ID: 242035731-0
                                            • Opcode ID: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                            • Instruction ID: c84947becb4c6b08512123c128e3984ea3dc00964f3a39dbf8306d0b90be9f7f
                                            • Opcode Fuzzy Hash: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                            • Instruction Fuzzy Hash: D4F03021A19E8AC2EBA05B26A8546396269FF88FB4F585030DD4E87755DF3CE44DCB04
                                            Function 00007FF6117B5A1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                            • String ID: ?
                                            • API String ID: 1286766494-1684325040
                                            • Opcode ID: 1c83a1720d45a771045ce60356bff33d66c21c843874825a6d4da0f7ef7d0a4b
                                            • Instruction ID: dab9e1108ea5d173cc3deb2b7044b45b6c04bf96d9d4e49c36d8035b763f39d7
                                            • Opcode Fuzzy Hash: 1c83a1720d45a771045ce60356bff33d66c21c843874825a6d4da0f7ef7d0a4b
                                            • Instruction Fuzzy Hash: E641F612A08B8246FB649B25E54537A6B68EF80FB4F148235EF5C86BD7DF3CD4858B04
                                            Function 00007FF6117A8BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117A8C02
                                              • Part of subcall function 00007FF6117AA0E4: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                              • Part of subcall function 00007FF6117AA0E4: GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF61179B005), ref: 00007FF6117A8C20
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                            • String ID: C:\Users\user\Desktop\Eclf71HXa1.exe
                                            • API String ID: 2553983749-748119270
                                            • Opcode ID: 9ce12ff3a883e124a6cc238180b9094a15e3d479f9e0930c5f1db475a7f69b26
                                            • Instruction ID: 1300f33bcd22fa2f0cc854a0d0004001456140a85051cc8f6365ca0bef03daaf
                                            • Opcode Fuzzy Hash: 9ce12ff3a883e124a6cc238180b9094a15e3d479f9e0930c5f1db475a7f69b26
                                            • Instruction Fuzzy Hash: 7C416236A09F5685EB14EF25F4410B96698FF44FE4B584036EA4E83BA6DF3DE489C700
                                            Function 00007FF6117B03DC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory_invalid_parameter_noinfo
                                            • String ID: .$:
                                            • API String ID: 2020911589-4202072812
                                            • Opcode ID: 3e70955a61d403852169feba9daedd801f1552a1b7cd6f86facb1308b23a296b
                                            • Instruction ID: 2428f81880e1576c95fbe892f13c13bf17b49601a96e644ff73c400dbd77debe
                                            • Opcode Fuzzy Hash: 3e70955a61d403852169feba9daedd801f1552a1b7cd6f86facb1308b23a296b
                                            • Instruction Fuzzy Hash: CB412E22F18F5288FB119BB1A8511BD2AB86F05B68F584435DE0DA7B97EF3C9449C314
                                            Function 00007FF6117AC8B8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                            • Instruction ID: 3dea739d7fdfe44126d0735e802f00072e29dff94fd39aeb40e98c3048937dec
                                            • Opcode Fuzzy Hash: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                            • Instruction Fuzzy Hash: 8741B222A18A8595DB20CF25F4443A97768FB88BA4F444131EE8DC7799DF3CD449C740
                                            Function 00007FF6117AF4B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory
                                            • String ID: :
                                            • API String ID: 1611563598-336475711
                                            • Opcode ID: db56689b931854d1007cef9754275ffa679a8e30b1d9386784ca568062745c64
                                            • Instruction ID: 7fcc787aa7c91b9db5ca52245d300680393210bb860360860a0d0481306a4b12
                                            • Opcode Fuzzy Hash: db56689b931854d1007cef9754275ffa679a8e30b1d9386784ca568062745c64
                                            • Instruction Fuzzy Hash: 2421E662A08A4281EB20DF11E44427D73B9FB84F94F598135DA8D837D6DF7CE548CB41
                                            Function 00007FF61179E178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                            • Instruction ID: c003dc5e631905d10dc6dfe821b14af2fdd238ef9e669c4e6cc1f8527988d6e2
                                            • Opcode Fuzzy Hash: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                            • Instruction Fuzzy Hash: 2A113772608B8482EB208B15E4502A977E9FB88BA4F188634EE8D47769DF3CC559CB00
                                            Function 00007FF6117B0548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2902539942.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000000.00000002.2902509467.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902582835.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902614182.00007FF6117D4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2902670423.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: DriveType_invalid_parameter_noinfo
                                            • String ID: :
                                            • API String ID: 2595371189-336475711
                                            • Opcode ID: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                            • Instruction ID: 5126dd18ecd6b8d0895c14c3057bdf4a412e47b595fe36ba5321c5e4532f7b20
                                            • Opcode Fuzzy Hash: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                            • Instruction Fuzzy Hash: 3B018F6191CA0782F731AF60A86567E27A8EF48B24F944435D94DC6B93DF2CE54C8B18

                                            Execution Graph

                                            Execution Coverage:0.8%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:606
                                            Total number of Limit Nodes:16
                                            execution_graph 110088 7ff611791fa0 110089 7ff611791fb0 110088->110089 110090 7ff611792001 110089->110090 110091 7ff611791feb 110089->110091 110094 7ff611792021 110090->110094 110099 7ff611792037 __std_exception_destroy 110090->110099 110137 7ff611791df0 81 API calls 110091->110137 110093 7ff611791ff7 110139 7ff61179a9b0 110093->110139 110138 7ff611791df0 81 API calls 110094->110138 110099->110093 110100 7ff611792226 110099->110100 110103 7ff611792210 110099->110103 110105 7ff6117921ea 110099->110105 110107 7ff6117921c7 110099->110107 110109 7ff611791420 110099->110109 110133 7ff611791bd0 110099->110133 110151 7ff611791df0 81 API calls 110100->110151 110150 7ff611791df0 81 API calls 110103->110150 110149 7ff611791df0 81 API calls 110105->110149 110148 7ff611791df0 81 API calls 110107->110148 110152 7ff6117931a0 110109->110152 110112 7ff61179144b 110188 7ff611791df0 81 API calls 110112->110188 110113 7ff61179146c 110162 7ff61179eacc 110113->110162 110116 7ff611791481 110118 7ff6117914a1 110116->110118 110119 7ff611791485 110116->110119 110117 7ff61179145b 110117->110099 110121 7ff6117914d1 110118->110121 110122 7ff6117914b1 110118->110122 110189 7ff611791db0 80 API calls 110119->110189 110125 7ff6117914d7 110121->110125 110126 7ff6117914ea 110121->110126 110190 7ff611791db0 80 API calls 110122->110190 110166 7ff6117911d0 110125->110166 110130 7ff611791576 110126->110130 110132 7ff61179149c __std_exception_destroy 110126->110132 110191 7ff61179e794 110126->110191 110127 7ff611791564 110127->110099 110194 7ff611791db0 80 API calls 110130->110194 110184 7ff61179e444 110132->110184 110134 7ff611791bf5 110133->110134 110414 7ff6117a4764 110134->110414 110137->110093 110138->110093 110140 7ff61179a9b9 110139->110140 110141 7ff6117921ba 110140->110141 110142 7ff61179ad40 IsProcessorFeaturePresent 110140->110142 110143 7ff61179ad58 110142->110143 110437 7ff61179af38 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 110143->110437 110145 7ff61179ad6b 110438 7ff61179ad00 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 110145->110438 110148->110093 110149->110093 110150->110093 110151->110093 110153 7ff6117931ac 110152->110153 110195 7ff611797800 110153->110195 110155 7ff6117931d4 110156 7ff611797800 2 API calls 110155->110156 110157 7ff6117931e7 110156->110157 110200 7ff6117a5db4 110157->110200 110160 7ff61179a9b0 _log10_special 8 API calls 110161 7ff611791443 110160->110161 110161->110112 110161->110113 110163 7ff61179eafc 110162->110163 110368 7ff61179e85c 110163->110368 110165 7ff61179eb15 110165->110116 110167 7ff611791228 110166->110167 110168 7ff61179122f 110167->110168 110169 7ff611791257 110167->110169 110381 7ff611791df0 81 API calls 110168->110381 110172 7ff611791271 110169->110172 110173 7ff61179128d 110169->110173 110171 7ff611791242 110171->110132 110382 7ff611791db0 80 API calls 110172->110382 110175 7ff61179129f 110173->110175 110182 7ff6117912bb memcpy_s 110173->110182 110383 7ff611791db0 80 API calls 110175->110383 110177 7ff61179e794 _fread_nolock 53 API calls 110177->110182 110178 7ff611791288 __std_exception_destroy 110178->110132 110179 7ff61179137f 110385 7ff611791df0 81 API calls 110179->110385 110182->110177 110182->110178 110182->110179 110183 7ff61179e508 37 API calls 110182->110183 110384 7ff61179eed4 76 API calls 110182->110384 110183->110182 110185 7ff61179e474 110184->110185 110386 7ff61179e220 110185->110386 110187 7ff61179e48d 110187->110127 110188->110117 110189->110132 110190->110132 110398 7ff61179e7b4 110191->110398 110194->110132 110196 7ff611797822 MultiByteToWideChar 110195->110196 110199 7ff611797846 110195->110199 110197 7ff61179785c __std_exception_destroy 110196->110197 110196->110199 110197->110155 110198 7ff611797863 MultiByteToWideChar 110198->110197 110199->110197 110199->110198 110201 7ff6117a5ce8 110200->110201 110202 7ff6117a5d0e 110201->110202 110204 7ff6117a5d41 110201->110204 110231 7ff6117ab108 11 API calls memcpy_s 110202->110231 110206 7ff6117a5d54 110204->110206 110207 7ff6117a5d47 110204->110207 110205 7ff6117a5d13 110232 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110205->110232 110219 7ff6117aa7b0 110206->110219 110233 7ff6117ab108 11 API calls memcpy_s 110207->110233 110211 7ff6117931f6 110211->110160 110213 7ff6117a5d75 110226 7ff6117afdcc 110213->110226 110214 7ff6117a5d68 110234 7ff6117ab108 11 API calls memcpy_s 110214->110234 110217 7ff6117a5d88 110235 7ff6117a4f88 LeaveCriticalSection 110217->110235 110236 7ff6117b01d8 EnterCriticalSection 110219->110236 110221 7ff6117aa7c7 110222 7ff6117aa824 19 API calls 110221->110222 110223 7ff6117aa7d2 110222->110223 110224 7ff6117b0238 _isindst LeaveCriticalSection 110223->110224 110225 7ff6117a5d5e 110224->110225 110225->110213 110225->110214 110237 7ff6117afac8 110226->110237 110228 7ff6117afe26 110228->110217 110231->110205 110232->110211 110233->110211 110234->110211 110242 7ff6117afb03 __vcrt_InitializeCriticalSectionEx 110237->110242 110239 7ff6117afda1 110256 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110239->110256 110241 7ff6117afcd3 110241->110228 110249 7ff6117b6e3c 110241->110249 110247 7ff6117afcca 110242->110247 110252 7ff6117b6154 51 API calls 3 library calls 110242->110252 110244 7ff6117afd35 110244->110247 110253 7ff6117b6154 51 API calls 3 library calls 110244->110253 110246 7ff6117afd54 110246->110247 110254 7ff6117b6154 51 API calls 3 library calls 110246->110254 110247->110241 110255 7ff6117ab108 11 API calls memcpy_s 110247->110255 110257 7ff6117b643c 110249->110257 110252->110244 110253->110246 110254->110247 110255->110239 110256->110241 110258 7ff6117b6453 110257->110258 110260 7ff6117b6471 110257->110260 110311 7ff6117ab108 11 API calls memcpy_s 110258->110311 110260->110258 110262 7ff6117b648d 110260->110262 110261 7ff6117b6458 110312 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110261->110312 110268 7ff6117b6a4c 110262->110268 110266 7ff6117b6464 110266->110228 110314 7ff6117b6780 110268->110314 110271 7ff6117b6ac1 110346 7ff6117ab0e8 11 API calls memcpy_s 110271->110346 110272 7ff6117b6ad9 110334 7ff6117a80d4 110272->110334 110276 7ff6117b6ac6 110347 7ff6117ab108 11 API calls memcpy_s 110276->110347 110285 7ff6117b64b8 110285->110266 110313 7ff6117a80ac LeaveCriticalSection 110285->110313 110311->110261 110312->110266 110315 7ff6117b67ac 110314->110315 110323 7ff6117b67c6 110314->110323 110315->110323 110359 7ff6117ab108 11 API calls memcpy_s 110315->110359 110317 7ff6117b67bb 110360 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110317->110360 110319 7ff6117b6895 110333 7ff6117b68f2 110319->110333 110365 7ff6117a9730 37 API calls 2 library calls 110319->110365 110320 7ff6117b6844 110320->110319 110363 7ff6117ab108 11 API calls memcpy_s 110320->110363 110323->110320 110361 7ff6117ab108 11 API calls memcpy_s 110323->110361 110324 7ff6117b688a 110364 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110324->110364 110326 7ff6117b68ee 110329 7ff6117b6970 110326->110329 110326->110333 110328 7ff6117b6839 110362 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110328->110362 110366 7ff6117aa4c4 17 API calls _isindst 110329->110366 110333->110271 110333->110272 110367 7ff6117b01d8 EnterCriticalSection 110334->110367 110346->110276 110347->110285 110359->110317 110360->110323 110361->110328 110362->110320 110363->110324 110364->110319 110365->110326 110369 7ff61179e8c6 110368->110369 110370 7ff61179e886 110368->110370 110369->110370 110372 7ff61179e8d2 110369->110372 110380 7ff6117aa3d8 37 API calls 2 library calls 110370->110380 110379 7ff6117a4f7c EnterCriticalSection 110372->110379 110373 7ff61179e8ad 110373->110165 110375 7ff61179e8d7 110376 7ff61179e9e0 71 API calls 110375->110376 110377 7ff61179e8e9 110376->110377 110378 7ff6117a4f88 _fread_nolock LeaveCriticalSection 110377->110378 110378->110373 110380->110373 110381->110171 110382->110178 110383->110178 110384->110182 110385->110178 110387 7ff61179e269 110386->110387 110388 7ff61179e23b 110386->110388 110395 7ff61179e25b 110387->110395 110396 7ff6117a4f7c EnterCriticalSection 110387->110396 110397 7ff6117aa3d8 37 API calls 2 library calls 110388->110397 110391 7ff61179e280 110392 7ff61179e29c 72 API calls 110391->110392 110393 7ff61179e28c 110392->110393 110394 7ff6117a4f88 _fread_nolock LeaveCriticalSection 110393->110394 110394->110395 110395->110187 110397->110395 110399 7ff61179e7de 110398->110399 110410 7ff61179e7ac 110398->110410 110400 7ff61179e82a 110399->110400 110401 7ff61179e7ed memcpy_s 110399->110401 110399->110410 110411 7ff6117a4f7c EnterCriticalSection 110400->110411 110412 7ff6117ab108 11 API calls memcpy_s 110401->110412 110404 7ff61179e832 110406 7ff61179e534 _fread_nolock 51 API calls 110404->110406 110405 7ff61179e802 110413 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110405->110413 110408 7ff61179e849 110406->110408 110409 7ff6117a4f88 _fread_nolock LeaveCriticalSection 110408->110409 110409->110410 110410->110126 110412->110405 110413->110410 110416 7ff6117a47be 110414->110416 110415 7ff6117a47e3 110432 7ff6117aa3d8 37 API calls 2 library calls 110415->110432 110416->110415 110418 7ff6117a481f 110416->110418 110433 7ff6117a1658 49 API calls _invalid_parameter_noinfo 110418->110433 110420 7ff6117a480d 110423 7ff61179a9b0 _log10_special 8 API calls 110420->110423 110421 7ff6117a48fc 110436 7ff6117aa0e4 11 API calls 2 library calls 110421->110436 110425 7ff611791c18 110423->110425 110424 7ff6117a48b6 110424->110421 110426 7ff6117a48d1 110424->110426 110427 7ff6117a4920 110424->110427 110428 7ff6117a48c8 110424->110428 110425->110099 110434 7ff6117aa0e4 11 API calls 2 library calls 110426->110434 110427->110421 110429 7ff6117a492a 110427->110429 110428->110421 110428->110426 110435 7ff6117aa0e4 11 API calls 2 library calls 110429->110435 110432->110420 110433->110424 110434->110420 110435->110420 110436->110420 110437->110145 110439 7ff6117abe54 110440 7ff6117abe84 110439->110440 110443 7ff6117abc88 110440->110443 110442 7ff6117abe9d 110445 7ff6117abcdf 110443->110445 110453 7ff6117abcb1 110443->110453 110444 7ff6117abcf8 110455 7ff6117aa3d8 37 API calls 2 library calls 110444->110455 110445->110444 110447 7ff6117abd4f 110445->110447 110454 7ff6117a7fc4 EnterCriticalSection 110447->110454 110449 7ff6117abd56 110450 7ff6117abd6d 110449->110450 110451 7ff6117abda8 _fread_nolock 39 API calls 110449->110451 110452 7ff6117a80ac _fread_nolock LeaveCriticalSection 110450->110452 110451->110450 110452->110453 110453->110442 110455->110453 110456 7ff6117a5444 110457 7ff6117a545e 110456->110457 110458 7ff6117a547b 110456->110458 110481 7ff6117ab0e8 11 API calls memcpy_s 110457->110481 110458->110457 110460 7ff6117a548e CreateFileW 110458->110460 110462 7ff6117a54c2 110460->110462 110463 7ff6117a54f8 110460->110463 110461 7ff6117a5463 110482 7ff6117ab108 11 API calls memcpy_s 110461->110482 110484 7ff6117a5598 59 API calls 3 library calls 110462->110484 110485 7ff6117a5a20 46 API calls 3 library calls 110463->110485 110467 7ff6117a54d0 110470 7ff6117a54d7 CloseHandle 110467->110470 110471 7ff6117a54ed CloseHandle 110467->110471 110468 7ff6117a54fd 110472 7ff6117a5501 110468->110472 110473 7ff6117a552c 110468->110473 110469 7ff6117a546b 110483 7ff6117aa4a4 37 API calls _invalid_parameter_noinfo 110469->110483 110475 7ff6117a5476 110470->110475 110471->110475 110486 7ff6117ab07c 11 API calls 2 library calls 110472->110486 110487 7ff6117a57e0 51 API calls 110473->110487 110478 7ff6117a5539 110488 7ff6117a591c 21 API calls _fread_nolock 110478->110488 110480 7ff6117a550b 110480->110475 110481->110461 110482->110469 110483->110475 110484->110467 110485->110468 110486->110480 110487->110478 110488->110480 110489 7ff61179b09c 110510 7ff61179b27c 110489->110510 110492 7ff61179b1f3 110646 7ff61179b59c 7 API calls 2 library calls 110492->110646 110493 7ff61179b0bd __scrt_acquire_startup_lock 110495 7ff61179b1fd 110493->110495 110501 7ff61179b0db __scrt_release_startup_lock 110493->110501 110647 7ff61179b59c 7 API calls 2 library calls 110495->110647 110497 7ff61179b100 110498 7ff61179b208 __GetCurrentState 110499 7ff61179b186 110518 7ff6117a9338 110499->110518 110501->110497 110501->110499 110643 7ff6117a96e4 45 API calls 110501->110643 110503 7ff61179b18b 110524 7ff611791000 110503->110524 110507 7ff61179b1af 110507->110498 110645 7ff61179b400 7 API calls 110507->110645 110509 7ff61179b1c6 110509->110497 110511 7ff61179b284 110510->110511 110512 7ff61179b290 __scrt_dllmain_crt_thread_attach 110511->110512 110513 7ff61179b29d 110512->110513 110517 7ff61179b0b5 110512->110517 110648 7ff6117a9f8c 110513->110648 110517->110492 110517->110493 110519 7ff6117a935d 110518->110519 110520 7ff6117a9348 110518->110520 110519->110503 110520->110519 110665 7ff6117a8dc8 40 API calls __free_lconv_num 110520->110665 110522 7ff6117a9366 110522->110519 110666 7ff6117a9188 12 API calls 3 library calls 110522->110666 110525 7ff6117926b0 110524->110525 110667 7ff6117a5220 110525->110667 110527 7ff6117926eb 110674 7ff6117925a0 110527->110674 110530 7ff6117926f8 110533 7ff61179a9b0 _log10_special 8 API calls 110530->110533 110536 7ff611792a6e 110533->110536 110534 7ff611792836 110538 7ff6117931a0 108 API calls 110534->110538 110535 7ff61179272c 110537 7ff611791bd0 49 API calls 110535->110537 110644 7ff61179b6ec GetModuleHandleW 110536->110644 110540 7ff611792748 110537->110540 110539 7ff611792846 110538->110539 110541 7ff611792885 110539->110541 110758 7ff611796870 110539->110758 110543 7ff611792994 110540->110543 110544 7ff61179299b 110540->110544 110767 7ff611791df0 81 API calls 110541->110767 110769 7ff611797440 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 110543->110769 110548 7ff61179299f 110544->110548 110549 7ff6117929a4 110544->110549 110546 7ff611792878 110552 7ff61179289f 110546->110552 110553 7ff61179287d 110546->110553 110770 7ff6117975b0 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 110548->110770 110736 7ff611797040 110549->110736 110555 7ff611791bd0 49 API calls 110552->110555 110557 7ff61179e444 74 API calls 110553->110557 110554 7ff611792999 110554->110549 110558 7ff6117928be 110555->110558 110556 7ff6117929b0 __std_exception_destroy 110559 7ff6117929f2 110556->110559 110560 7ff611792ab3 110556->110560 110557->110541 110563 7ff6117918d0 114 API calls 110558->110563 110562 7ff611797040 14 API calls 110559->110562 110775 7ff6117930c0 49 API calls 110560->110775 110565 7ff6117929fe 110562->110565 110566 7ff6117928df 110563->110566 110564 7ff611792ac1 110567 7ff611792ae0 110564->110567 110568 7ff611792ad4 110564->110568 110771 7ff6117971b0 40 API calls __std_exception_destroy 110565->110771 110566->110540 110570 7ff6117928ef 110566->110570 110572 7ff611791bd0 49 API calls 110567->110572 110776 7ff611793210 110568->110776 110768 7ff611791df0 81 API calls 110570->110768 110575 7ff611792a39 __std_exception_destroy 110572->110575 110573 7ff611792a0d 110576 7ff611792a84 110573->110576 110579 7ff611792a17 110573->110579 110577 7ff611797800 2 API calls 110575->110577 110584 7ff611792a40 110575->110584 110773 7ff611797490 87 API calls _log10_special 110576->110773 110581 7ff611792b0d 110577->110581 110580 7ff611791bd0 49 API calls 110579->110580 110580->110575 110583 7ff611792b1e SetDllDirectoryW 110581->110583 110581->110584 110582 7ff611792a89 110582->110584 110585 7ff611792a9e 110582->110585 110586 7ff611792b32 110583->110586 110772 7ff611791df0 81 API calls 110584->110772 110774 7ff611796e70 112 API calls 2 library calls 110585->110774 110588 7ff611792c95 110586->110588 110779 7ff6117957b0 80 API calls 110586->110779 110594 7ff611792ca0 110588->110594 110595 7ff611792ca7 110588->110595 110589 7ff611792aa6 110589->110575 110592 7ff611792aaa 110589->110592 110592->110584 110593 7ff611792b44 110780 7ff611795d20 113 API calls 2 library calls 110593->110780 110788 7ff611797440 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 110594->110788 110597 7ff611792cb0 110595->110597 110598 7ff611792cab 110595->110598 110749 7ff611792240 110597->110749 110789 7ff6117975b0 GetConsoleWindow GetCurrentProcessId GetWindowThreadProcessId ShowWindow 110598->110789 110600 7ff611792ca5 110600->110597 110602 7ff611792b59 110603 7ff611792bb6 110602->110603 110605 7ff611792b70 110602->110605 110781 7ff6117957f0 116 API calls _log10_special 110602->110781 110603->110588 110610 7ff611792bcb 110603->110610 110617 7ff611792b74 110605->110617 110782 7ff611795b90 115 API calls 110605->110782 110786 7ff6117922a0 117 API calls 2 library calls 110610->110786 110611 7ff611792b85 110611->110617 110783 7ff611795ef0 82 API calls 110611->110783 110612 7ff611792cca 110791 7ff6117959d0 FreeLibrary 110612->110791 110616 7ff611792bd3 110616->110530 110620 7ff611792bdb 110616->110620 110617->110603 110784 7ff611791df0 81 API calls 110617->110784 110619 7ff611792cd6 110787 7ff611797420 LocalFree 110620->110787 110622 7ff611792bae 110785 7ff6117959d0 FreeLibrary 110622->110785 110643->110499 110644->110507 110645->110509 110646->110495 110647->110498 110649 7ff6117b32ac 110648->110649 110650 7ff61179b2a2 110649->110650 110653 7ff6117ac1a0 110649->110653 110650->110517 110652 7ff61179bcb8 7 API calls 2 library calls 110650->110652 110652->110517 110664 7ff6117b01d8 EnterCriticalSection 110653->110664 110655 7ff6117ac1b0 110656 7ff6117a7f1c 43 API calls 110655->110656 110657 7ff6117ac1b9 110656->110657 110659 7ff6117abf9c 45 API calls 110657->110659 110663 7ff6117ac1c7 110657->110663 110658 7ff6117b0238 _isindst LeaveCriticalSection 110661 7ff6117ac1d3 110658->110661 110660 7ff6117ac1c2 110659->110660 110662 7ff6117ac08c GetStdHandle GetFileType 110660->110662 110661->110649 110662->110663 110663->110658 110665->110522 110666->110519 110670 7ff6117af380 110667->110670 110668 7ff6117af3d3 110792 7ff6117aa3d8 37 API calls 2 library calls 110668->110792 110670->110668 110671 7ff6117af426 110670->110671 110793 7ff6117af258 71 API calls _fread_nolock 110671->110793 110673 7ff6117af3fc 110673->110527 110794 7ff61179acb0 110674->110794 110677 7ff6117925f8 110796 7ff6117976f0 FindFirstFileExW 110677->110796 110678 7ff6117925db 110801 7ff611791ed0 80 API calls 110678->110801 110682 7ff6117925ee 110686 7ff61179a9b0 _log10_special 8 API calls 110682->110686 110683 7ff611792665 110804 7ff6117978b0 WideCharToMultiByte WideCharToMultiByte __std_exception_destroy 110683->110804 110684 7ff61179260b 110802 7ff611797770 CreateFileW GetFinalPathNameByHandleW CloseHandle 110684->110802 110689 7ff61179269d 110686->110689 110688 7ff611792673 110688->110682 110805 7ff611791e50 78 API calls 110688->110805 110689->110530 110696 7ff6117918d0 110689->110696 110690 7ff611792618 110691 7ff611792634 __vcrt_InitializeCriticalSectionEx 110690->110691 110692 7ff61179261c 110690->110692 110691->110683 110803 7ff611791e50 78 API calls 110692->110803 110695 7ff61179262d 110695->110682 110697 7ff6117931a0 108 API calls 110696->110697 110698 7ff611791905 110697->110698 110699 7ff611791b96 110698->110699 110701 7ff611796870 83 API calls 110698->110701 110700 7ff61179a9b0 _log10_special 8 API calls 110699->110700 110703 7ff611791bb1 110700->110703 110702 7ff61179194b 110701->110702 110704 7ff61179eacc 73 API calls 110702->110704 110735 7ff61179197c 110702->110735 110703->110534 110703->110535 110706 7ff611791965 110704->110706 110705 7ff61179e444 74 API calls 110705->110699 110707 7ff611791981 110706->110707 110708 7ff611791969 110706->110708 110710 7ff61179e794 _fread_nolock 53 API calls 110707->110710 110806 7ff611791db0 80 API calls 110708->110806 110711 7ff611791999 110710->110711 110712 7ff61179199f 110711->110712 110713 7ff6117919b7 110711->110713 110807 7ff611791db0 80 API calls 110712->110807 110715 7ff6117919ce 110713->110715 110716 7ff6117919e6 110713->110716 110808 7ff611791db0 80 API calls 110715->110808 110718 7ff611791bd0 49 API calls 110716->110718 110719 7ff6117919fd 110718->110719 110720 7ff611791bd0 49 API calls 110719->110720 110721 7ff611791a48 110720->110721 110722 7ff61179eacc 73 API calls 110721->110722 110723 7ff611791a6c 110722->110723 110724 7ff611791a81 110723->110724 110725 7ff611791a99 110723->110725 110809 7ff611791db0 80 API calls 110724->110809 110726 7ff61179e794 _fread_nolock 53 API calls 110725->110726 110728 7ff611791aae 110726->110728 110729 7ff611791ab4 110728->110729 110730 7ff611791acc 110728->110730 110810 7ff611791db0 80 API calls 110729->110810 110811 7ff61179e508 37 API calls 2 library calls 110730->110811 110733 7ff611791ae6 110733->110735 110812 7ff611791df0 81 API calls 110733->110812 110735->110705 110737 7ff61179704a 110736->110737 110738 7ff611797800 2 API calls 110737->110738 110739 7ff611797069 GetEnvironmentVariableW 110738->110739 110740 7ff6117970d2 110739->110740 110741 7ff611797086 ExpandEnvironmentStringsW 110739->110741 110742 7ff61179a9b0 _log10_special 8 API calls 110740->110742 110741->110740 110743 7ff6117970a8 110741->110743 110744 7ff6117970e4 110742->110744 110813 7ff6117978b0 WideCharToMultiByte WideCharToMultiByte __std_exception_destroy 110743->110813 110744->110556 110746 7ff6117970ba 110747 7ff61179a9b0 _log10_special 8 API calls 110746->110747 110748 7ff6117970ca 110747->110748 110748->110556 110814 7ff611794d50 110749->110814 110752 7ff611792279 110790 7ff611792560 FreeLibrary 110752->110790 110754 7ff611792261 110754->110752 110884 7ff611794a60 110754->110884 110756 7ff61179226d 110756->110752 110893 7ff611794bf0 81 API calls 110756->110893 110759 7ff611796894 110758->110759 110760 7ff61179696b __std_exception_destroy 110759->110760 110761 7ff61179eacc 73 API calls 110759->110761 110760->110546 110762 7ff6117968b0 110761->110762 110762->110760 110956 7ff6117a7664 110762->110956 110764 7ff6117968c5 110764->110760 110765 7ff61179eacc 73 API calls 110764->110765 110766 7ff61179e794 _fread_nolock 53 API calls 110764->110766 110765->110764 110766->110764 110767->110530 110768->110530 110769->110554 110770->110549 110771->110573 110772->110530 110773->110582 110774->110589 110775->110564 110777 7ff611791bd0 49 API calls 110776->110777 110778 7ff611793240 110777->110778 110778->110575 110779->110593 110780->110602 110781->110605 110782->110611 110783->110617 110784->110622 110785->110603 110786->110616 110788->110600 110789->110597 110790->110612 110791->110619 110792->110673 110793->110673 110795 7ff6117925ac GetModuleFileNameW 110794->110795 110795->110677 110795->110678 110797 7ff61179772f FindClose 110796->110797 110798 7ff611797742 110796->110798 110797->110798 110799 7ff61179a9b0 _log10_special 8 API calls 110798->110799 110800 7ff611792602 110799->110800 110800->110683 110800->110684 110801->110682 110802->110690 110803->110695 110804->110688 110805->110682 110806->110735 110807->110735 110808->110735 110809->110735 110810->110735 110811->110733 110812->110735 110813->110746 110815 7ff611794d65 110814->110815 110816 7ff611791bd0 49 API calls 110815->110816 110817 7ff611794da1 110816->110817 110818 7ff611794daa 110817->110818 110819 7ff611794dcd 110817->110819 110904 7ff611791df0 81 API calls 110818->110904 110821 7ff611793210 49 API calls 110819->110821 110822 7ff611794de5 110821->110822 110823 7ff611794e03 110822->110823 110905 7ff611791df0 81 API calls 110822->110905 110894 7ff611793140 110823->110894 110826 7ff61179a9b0 _log10_special 8 API calls 110828 7ff61179224e 110826->110828 110828->110752 110845 7ff611794ee0 110828->110845 110829 7ff611794e1b 110831 7ff611793210 49 API calls 110829->110831 110830 7ff6117973d0 3 API calls 110830->110829 110832 7ff611794e34 110831->110832 110833 7ff611794e59 110832->110833 110834 7ff611794e39 110832->110834 110900 7ff6117973d0 110833->110900 110906 7ff611791df0 81 API calls 110834->110906 110837 7ff611794dc3 110837->110826 110838 7ff611794e66 110839 7ff611794e72 110838->110839 110840 7ff611794ea9 110838->110840 110841 7ff611797800 2 API calls 110839->110841 110908 7ff6117942e0 124 API calls 110840->110908 110843 7ff611794e8a 110841->110843 110907 7ff611791ed0 80 API calls 110843->110907 110909 7ff611793eb0 110845->110909 110847 7ff611794f1a 110848 7ff611794f22 110847->110848 110849 7ff611794f33 110847->110849 110941 7ff611791df0 81 API calls 110848->110941 110916 7ff611793680 110849->110916 110853 7ff611794f3f 110942 7ff611791df0 81 API calls 110853->110942 110854 7ff611794f50 110856 7ff611794f5f 110854->110856 110857 7ff611794f70 110854->110857 110943 7ff611791df0 81 API calls 110856->110943 110920 7ff611793930 110857->110920 110858 7ff611794f2e 110858->110754 110861 7ff611794f8b 110862 7ff611794f8f 110861->110862 110863 7ff611794fa0 110861->110863 110944 7ff611791df0 81 API calls 110862->110944 110865 7ff611794faf 110863->110865 110866 7ff611794fc0 110863->110866 110945 7ff611791df0 81 API calls 110865->110945 110927 7ff6117937d0 110866->110927 110870 7ff611794fcf 110946 7ff611791df0 81 API calls 110870->110946 110872 7ff611794fe0 110873 7ff611794fef 110872->110873 110874 7ff611795000 110872->110874 110947 7ff611791df0 81 API calls 110873->110947 110876 7ff611795011 110874->110876 110878 7ff611795022 110874->110878 110948 7ff611791df0 81 API calls 110876->110948 110881 7ff61179504c 110878->110881 110949 7ff6117a704c 73 API calls 110878->110949 110880 7ff61179503a 110950 7ff6117a704c 73 API calls 110880->110950 110881->110858 110951 7ff611791df0 81 API calls 110881->110951 110885 7ff611794a80 110884->110885 110885->110885 110886 7ff611794ac0 __std_exception_destroy 110885->110886 110887 7ff611794aa9 110885->110887 110890 7ff611791420 113 API calls 110886->110890 110891 7ff611791df0 81 API calls 110886->110891 110892 7ff611794bcb 110886->110892 110955 7ff611791df0 81 API calls 110887->110955 110889 7ff611794ab5 110889->110756 110890->110886 110891->110886 110892->110756 110893->110752 110895 7ff61179314a 110894->110895 110896 7ff611797800 2 API calls 110895->110896 110897 7ff61179316f 110896->110897 110898 7ff61179a9b0 _log10_special 8 API calls 110897->110898 110899 7ff611793197 110898->110899 110899->110829 110899->110830 110901 7ff611797800 2 API calls 110900->110901 110902 7ff6117973e4 LoadLibraryW 110901->110902 110903 7ff611797403 __std_exception_destroy 110902->110903 110903->110838 110904->110837 110905->110823 110906->110837 110907->110837 110908->110837 110910 7ff611793edc 110909->110910 110911 7ff611793ee4 110910->110911 110912 7ff611794084 110910->110912 110952 7ff6117a68c4 48 API calls 110910->110952 110911->110847 110913 7ff611794247 __std_exception_destroy 110912->110913 110914 7ff6117933b0 47 API calls 110912->110914 110913->110847 110914->110912 110917 7ff6117936b0 110916->110917 110918 7ff61179a9b0 _log10_special 8 API calls 110917->110918 110919 7ff61179371a 110918->110919 110919->110853 110919->110854 110921 7ff61179399f 110920->110921 110925 7ff61179394b 110920->110925 110954 7ff611793530 MultiByteToWideChar MultiByteToWideChar __std_exception_destroy 110921->110954 110923 7ff6117939ac 110923->110861 110926 7ff61179398a 110925->110926 110953 7ff611793530 MultiByteToWideChar MultiByteToWideChar __std_exception_destroy 110925->110953 110926->110861 110928 7ff6117937e5 110927->110928 110929 7ff611791bd0 49 API calls 110928->110929 110930 7ff611793831 110929->110930 110931 7ff611791bd0 49 API calls 110930->110931 110940 7ff6117938b7 __std_exception_destroy 110930->110940 110933 7ff611793870 110931->110933 110932 7ff61179a9b0 _log10_special 8 API calls 110934 7ff61179390c 110932->110934 110935 7ff611797800 2 API calls 110933->110935 110933->110940 110934->110870 110934->110872 110936 7ff61179388a 110935->110936 110937 7ff611797800 2 API calls 110936->110937 110938 7ff6117938a1 110937->110938 110939 7ff611797800 2 API calls 110938->110939 110939->110940 110940->110932 110941->110858 110942->110858 110943->110858 110944->110858 110945->110858 110946->110858 110947->110858 110948->110858 110949->110880 110950->110881 110951->110858 110952->110910 110953->110926 110954->110923 110955->110889 110957 7ff6117a7694 110956->110957 110960 7ff6117a7170 110957->110960 110959 7ff6117a76ad 110959->110764 110961 7ff6117a718b 110960->110961 110962 7ff6117a71ba 110960->110962 110971 7ff6117aa3d8 37 API calls 2 library calls 110961->110971 110970 7ff6117a4f7c EnterCriticalSection 110962->110970 110965 7ff6117a71bf 110967 7ff6117a71dc 38 API calls 110965->110967 110966 7ff6117a71ab 110966->110959 110968 7ff6117a71cb 110967->110968 110969 7ff6117a4f88 _fread_nolock LeaveCriticalSection 110968->110969 110969->110966 110971->110966

                                            Executed Functions

                                            Function 00007FF6117B6A4C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 364 7ff6117b6a4c-7ff6117b6abf call 7ff6117b6780 367 7ff6117b6ac1-7ff6117b6aca call 7ff6117ab0e8 364->367 368 7ff6117b6ad9-7ff6117b6ae3 call 7ff6117a80d4 364->368 375 7ff6117b6acd-7ff6117b6ad4 call 7ff6117ab108 367->375 373 7ff6117b6afe-7ff6117b6b67 CreateFileW 368->373 374 7ff6117b6ae5-7ff6117b6afc call 7ff6117ab0e8 call 7ff6117ab108 368->374 377 7ff6117b6be4-7ff6117b6bef GetFileType 373->377 378 7ff6117b6b69-7ff6117b6b6f 373->378 374->375 392 7ff6117b6e1a-7ff6117b6e3a 375->392 384 7ff6117b6bf1-7ff6117b6c2c GetLastError call 7ff6117ab07c CloseHandle 377->384 385 7ff6117b6c42-7ff6117b6c49 377->385 381 7ff6117b6bb1-7ff6117b6bdf GetLastError call 7ff6117ab07c 378->381 382 7ff6117b6b71-7ff6117b6b75 378->382 381->375 382->381 389 7ff6117b6b77-7ff6117b6baf CreateFileW 382->389 384->375 398 7ff6117b6c32-7ff6117b6c3d call 7ff6117ab108 384->398 386 7ff6117b6c51-7ff6117b6c54 385->386 387 7ff6117b6c4b-7ff6117b6c4f 385->387 395 7ff6117b6c56 386->395 396 7ff6117b6c5a-7ff6117b6caf call 7ff6117a7fec 386->396 387->396 389->377 389->381 395->396 403 7ff6117b6cb1-7ff6117b6cbd call 7ff6117b6988 396->403 404 7ff6117b6cce-7ff6117b6cff call 7ff6117b6500 396->404 398->375 403->404 411 7ff6117b6cbf 403->411 409 7ff6117b6d01-7ff6117b6d03 404->409 410 7ff6117b6d05-7ff6117b6d47 404->410 414 7ff6117b6cc1-7ff6117b6cc9 call 7ff6117aa648 409->414 412 7ff6117b6d69-7ff6117b6d74 410->412 413 7ff6117b6d49-7ff6117b6d4d 410->413 411->414 417 7ff6117b6e18 412->417 418 7ff6117b6d7a-7ff6117b6d7e 412->418 413->412 416 7ff6117b6d4f-7ff6117b6d64 413->416 414->392 416->412 417->392 418->417 420 7ff6117b6d84-7ff6117b6dc9 CloseHandle CreateFileW 418->420 421 7ff6117b6dfe-7ff6117b6e13 420->421 422 7ff6117b6dcb-7ff6117b6df9 GetLastError call 7ff6117ab07c call 7ff6117a8214 420->422 421->417 422->421
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                            • String ID:
                                            • API String ID: 1617910340-0
                                            • Opcode ID: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                            • Instruction ID: e9b766d30431cdaac40cbc9405adc1d7e96f258cced66ba8ef2a24421e978574
                                            • Opcode Fuzzy Hash: ad8ec9179d343e41af190c9267fc60de618bf9d8d7a5f79036b78aa83a48160c
                                            • Instruction Fuzzy Hash: 29C1B036B28E4585EB10CF65D4802BD3765FB49FA8B158225EF2E97796CF38E059C304
                                            Function 00007FF6117976F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                            • Instruction ID: 972c081b9856a23970fe85ca7da3338c6ec47a1dfcf132f97310e61f928a95b9
                                            • Opcode Fuzzy Hash: 37842ddde8711f02792dbd714da93d21ca306dbea5d47a61d34bf991ce214254
                                            • Instruction Fuzzy Hash: E1F0AF22A18A4A86FBA08B60B45937AA394BB84B38F404735DA6D427D5DF3CD00D8A00
                                            Function 00007FF611791000 Relevance: 40.6, APIs: 1, Strings: 22, Instructions: 358COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 7ff611791000-7ff6117926f6 call 7ff61179acb0 call 7ff6117a4f00 call 7ff6117a5220 call 7ff6117925a0 10 7ff611792704-7ff611792726 call 7ff6117918d0 0->10 11 7ff6117926f8-7ff6117926ff 0->11 16 7ff611792836-7ff61179284c call 7ff6117931a0 10->16 17 7ff61179272c-7ff611792743 call 7ff611791bd0 10->17 13 7ff611792a5e-7ff611792a79 call 7ff61179a9b0 11->13 25 7ff61179284e-7ff61179287b call 7ff611796870 16->25 26 7ff611792885-7ff61179289a call 7ff611791df0 16->26 21 7ff611792748-7ff61179278c 17->21 23 7ff611792981-7ff611792992 21->23 24 7ff611792792-7ff61179279a 21->24 29 7ff611792994-7ff611792999 call 7ff611797440 23->29 30 7ff61179299b-7ff61179299d 23->30 27 7ff6117927a0-7ff6117927a4 24->27 44 7ff61179289f-7ff6117928be call 7ff611791bd0 25->44 45 7ff61179287d-7ff611792880 call 7ff61179e444 25->45 40 7ff611792a56 26->40 33 7ff61179295e-7ff611792973 call 7ff6117918c0 27->33 34 7ff6117927aa-7ff6117927c2 call 7ff6117a51a0 27->34 38 7ff6117929a4-7ff6117929b6 call 7ff611797040 29->38 37 7ff61179299f call 7ff6117975b0 30->37 30->38 33->27 55 7ff611792979 33->55 56 7ff6117927cf-7ff6117927e7 call 7ff6117a51a0 34->56 57 7ff6117927c4-7ff6117927c8 34->57 37->38 53 7ff6117929b8-7ff6117929be 38->53 54 7ff6117929dd-7ff6117929ec 38->54 40->13 58 7ff6117928c1-7ff6117928ca 44->58 45->26 59 7ff6117929c0-7ff6117929c8 53->59 60 7ff6117929ca-7ff6117929d8 call 7ff6117a4c1c 53->60 61 7ff6117929f2-7ff611792a10 call 7ff611797040 call 7ff6117971b0 54->61 62 7ff611792ab3-7ff611792ad2 call 7ff6117930c0 54->62 55->23 72 7ff6117927f4-7ff61179280c call 7ff6117a51a0 56->72 73 7ff6117927e9-7ff6117927ed 56->73 57->56 58->58 64 7ff6117928cc-7ff6117928e9 call 7ff6117918d0 58->64 59->60 60->54 88 7ff611792a12-7ff611792a15 61->88 89 7ff611792a84-7ff611792a93 call 7ff611797490 61->89 76 7ff611792ae0-7ff611792af1 call 7ff611791bd0 62->76 77 7ff611792ad4-7ff611792ade call 7ff611793210 62->77 64->21 80 7ff6117928ef-7ff611792900 call 7ff611791df0 64->80 72->33 84 7ff611792812-7ff611792824 call 7ff6117a5260 72->84 73->72 87 7ff611792af6-7ff611792b10 call 7ff611797800 76->87 77->87 80->40 104 7ff611792905-7ff611792917 call 7ff6117a5260 84->104 105 7ff61179282a-7ff611792831 84->105 99 7ff611792b1e-7ff611792b30 SetDllDirectoryW 87->99 100 7ff611792b12-7ff611792b19 87->100 88->89 94 7ff611792a17-7ff611792a3e call 7ff611791bd0 88->94 101 7ff611792a9e-7ff611792aa8 call 7ff611796e70 89->101 102 7ff611792a95-7ff611792a9c 89->102 110 7ff611792a40 94->110 111 7ff611792a7a-7ff611792a82 call 7ff6117a4c1c 94->111 107 7ff611792b3f-7ff611792b5b call 7ff6117957b0 call 7ff611795d20 99->107 108 7ff611792b32-7ff611792b39 99->108 106 7ff611792a47 call 7ff611791df0 100->106 101->87 119 7ff611792aaa-7ff611792ab1 101->119 102->106 123 7ff611792922-7ff611792934 call 7ff6117a5260 104->123 124 7ff611792919-7ff611792920 104->124 105->33 120 7ff611792a4c-7ff611792a4e 106->120 140 7ff611792bb6-7ff611792bb9 call 7ff611795760 107->140 141 7ff611792b5d-7ff611792b63 107->141 108->107 113 7ff611792c95-7ff611792c9e 108->113 110->106 111->87 125 7ff611792ca0-7ff611792ca5 call 7ff611797440 113->125 126 7ff611792ca7-7ff611792ca9 113->126 119->106 120->40 137 7ff61179293f-7ff611792958 call 7ff6117a5260 123->137 138 7ff611792936-7ff61179293d 123->138 124->33 129 7ff611792cb0-7ff611792cbb call 7ff611792590 call 7ff611792240 125->129 126->129 130 7ff611792cab call 7ff6117975b0 126->130 148 7ff611792cc0-7ff611792ce2 call 7ff611792560 call 7ff6117959d0 call 7ff611795760 129->148 130->129 137->33 138->33 150 7ff611792bbe-7ff611792bc5 140->150 144 7ff611792b65-7ff611792b72 call 7ff6117957f0 141->144 145 7ff611792b7d-7ff611792b87 call 7ff611795b90 141->145 144->145 159 7ff611792b74-7ff611792b7b 144->159 156 7ff611792b92-7ff611792ba0 call 7ff611795ef0 145->156 157 7ff611792b89-7ff611792b90 145->157 150->113 154 7ff611792bcb-7ff611792bd5 call 7ff6117922a0 150->154 154->120 168 7ff611792bdb-7ff611792bf0 call 7ff611797420 154->168 156->150 170 7ff611792ba2 156->170 161 7ff611792ba9-7ff611792bb1 call 7ff611791df0 call 7ff6117959d0 157->161 159->161 161->140 176 7ff611792bf2-7ff611792bf7 call 7ff611797440 168->176 177 7ff611792bf9-7ff611792bfb 168->177 170->161 179 7ff611792c02-7ff611792c45 call 7ff611797150 call 7ff6117971f0 call 7ff6117959d0 call 7ff611795760 call 7ff6117970f0 176->179 177->179 180 7ff611792bfd call 7ff6117975b0 177->180 193 7ff611792c82-7ff611792c90 call 7ff611791880 179->193 194 7ff611792c47-7ff611792c55 179->194 180->179 193->120 195 7ff611792c76-7ff611792c7d call 7ff611791df0 194->195 196 7ff611792c57-7ff611792c71 call 7ff611791df0 call 7ff611791880 194->196 195->193 196->120
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileModuleName
                                            • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$hide-early$hide-late$minimize-early$minimize-late$pkg$pyi-contents-directory$pyi-hide-console$pyi-runtime-tmpdir
                                            • API String ID: 514040917-560148345
                                            • Opcode ID: 3534348e9414c82c4bb7d6e7bc879e977e61efd18390a579fbb7b84cd8dcbdeb
                                            • Instruction ID: d8ac9cbfc25f4d0f4dd686041a56137b430c47ef5e3fd74e37701a3aed9e935a
                                            • Opcode Fuzzy Hash: 3534348e9414c82c4bb7d6e7bc879e977e61efd18390a579fbb7b84cd8dcbdeb
                                            • Instruction Fuzzy Hash: EE024A21A0CE8A91EB21EB2194652F92399AF54FB4F844032DE4DC7797EF2CE65CC350
                                            Function 00007FF6117918D0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 204 7ff6117918d0-7ff61179190b call 7ff6117931a0 207 7ff611791ba1-7ff611791bc5 call 7ff61179a9b0 204->207 208 7ff611791911-7ff611791951 call 7ff611796870 204->208 213 7ff611791b8e-7ff611791b91 call 7ff61179e444 208->213 214 7ff611791957-7ff611791967 call 7ff61179eacc 208->214 218 7ff611791b96-7ff611791b9e 213->218 219 7ff611791981-7ff61179199d call 7ff61179e794 214->219 220 7ff611791969-7ff61179197c call 7ff611791db0 214->220 218->207 225 7ff61179199f-7ff6117919b2 call 7ff611791db0 219->225 226 7ff6117919b7-7ff6117919cc call 7ff6117a4c14 219->226 220->213 225->213 231 7ff6117919ce-7ff6117919e1 call 7ff611791db0 226->231 232 7ff6117919e6-7ff611791a67 call 7ff611791bd0 * 2 call 7ff61179eacc 226->232 231->213 240 7ff611791a6c-7ff611791a7f call 7ff6117a4c30 232->240 243 7ff611791a81-7ff611791a94 call 7ff611791db0 240->243 244 7ff611791a99-7ff611791ab2 call 7ff61179e794 240->244 243->213 249 7ff611791ab4-7ff611791ac7 call 7ff611791db0 244->249 250 7ff611791acc-7ff611791ae8 call 7ff61179e508 244->250 249->213 255 7ff611791aea-7ff611791af6 call 7ff611791df0 250->255 256 7ff611791afb-7ff611791b09 250->256 255->213 256->213 258 7ff611791b0f-7ff611791b1e 256->258 260 7ff611791b20-7ff611791b26 258->260 261 7ff611791b40-7ff611791b4f 260->261 262 7ff611791b28-7ff611791b35 260->262 261->261 263 7ff611791b51-7ff611791b5a 261->263 262->263 264 7ff611791b6f 263->264 265 7ff611791b5c-7ff611791b5f 263->265 267 7ff611791b71-7ff611791b8c 264->267 265->264 266 7ff611791b61-7ff611791b64 265->266 266->264 268 7ff611791b66-7ff611791b69 266->268 267->213 267->260 268->264 269 7ff611791b6b-7ff611791b6d 268->269 269->267
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _fread_nolock
                                            • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                            • API String ID: 840049012-3497178890
                                            • Opcode ID: af9fc0d29f42384f9324ba838da93a22fb82fa64a7927549dfc7d635480b27cf
                                            • Instruction ID: 8c620b0e41646f975d9f01cc0a29356eb7411ee7b16a36e7b6d7574a7679abb4
                                            • Opcode Fuzzy Hash: af9fc0d29f42384f9324ba838da93a22fb82fa64a7927549dfc7d635480b27cf
                                            • Instruction Fuzzy Hash: B6719571A09E8A85EB60DB14E4602F923A9EF44FB4F448039D98DC779BEE2CE55C8740
                                            Function 00007FF611791420 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                            • API String ID: 2050909247-3659356012
                                            • Opcode ID: 70249131e65ecf6eb94e6a944a2ecd2d687c4b4316c8101cf0f6edc930edd2dc
                                            • Instruction ID: 0f3fcea1bba6350c25b1c0ca00733b7c3322455e2f2afd6706d0bbf516ef032c
                                            • Opcode Fuzzy Hash: 70249131e65ecf6eb94e6a944a2ecd2d687c4b4316c8101cf0f6edc930edd2dc
                                            • Instruction Fuzzy Hash: 94419421B08E4685EF249B15B4601B663A8EF44FF4F588036DE5E87B97EE3CE55D8700
                                            Function 00007FF6117911D0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                            • API String ID: 2050909247-2813020118
                                            • Opcode ID: d47578902a7590cd0f8b32764d105715a12a9aab1d42d05c3b51c27ca00c80ed
                                            • Instruction ID: 8d1dd6cadd561c1cfbe894a3c69b4f064ef0f39e67a04b7eae93a1ffdf6bfde8
                                            • Opcode Fuzzy Hash: d47578902a7590cd0f8b32764d105715a12a9aab1d42d05c3b51c27ca00c80ed
                                            • Instruction Fuzzy Hash: 6451B662A08E4645E7609B15B4603BA62A5BF44BB4F484139ED4DC7BD7EF3CE55DC300
                                            Function 00007FF6117AB6D0 Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 556 7ff6117ab6d0-7ff6117ab6f6 557 7ff6117ab711-7ff6117ab715 556->557 558 7ff6117ab6f8-7ff6117ab70c call 7ff6117ab0e8 call 7ff6117ab108 556->558 560 7ff6117abaeb-7ff6117abaf7 call 7ff6117ab0e8 call 7ff6117ab108 557->560 561 7ff6117ab71b-7ff6117ab722 557->561 572 7ff6117abb02 558->572 578 7ff6117abafd call 7ff6117aa4a4 560->578 561->560 564 7ff6117ab728-7ff6117ab756 561->564 564->560 566 7ff6117ab75c-7ff6117ab763 564->566 570 7ff6117ab765-7ff6117ab777 call 7ff6117ab0e8 call 7ff6117ab108 566->570 571 7ff6117ab77c-7ff6117ab77f 566->571 570->578 575 7ff6117ab785-7ff6117ab78b 571->575 576 7ff6117abae7-7ff6117abae9 571->576 577 7ff6117abb05-7ff6117abb1c 572->577 575->576 580 7ff6117ab791-7ff6117ab794 575->580 576->577 578->572 580->570 581 7ff6117ab796-7ff6117ab7bb 580->581 584 7ff6117ab7ee-7ff6117ab7f5 581->584 585 7ff6117ab7bd-7ff6117ab7bf 581->585 589 7ff6117ab7f7-7ff6117ab803 call 7ff6117ad444 584->589 590 7ff6117ab7ca-7ff6117ab7e1 call 7ff6117ab0e8 call 7ff6117ab108 call 7ff6117aa4a4 584->590 587 7ff6117ab7c1-7ff6117ab7c8 585->587 588 7ff6117ab7e6-7ff6117ab7ec 585->588 587->588 587->590 592 7ff6117ab86c-7ff6117ab883 588->592 597 7ff6117ab808-7ff6117ab81f call 7ff6117aa0e4 * 2 589->597 621 7ff6117ab974 590->621 595 7ff6117ab8fe-7ff6117ab908 call 7ff6117b371c 592->595 596 7ff6117ab885-7ff6117ab88d 592->596 608 7ff6117ab90e-7ff6117ab923 595->608 609 7ff6117ab992 595->609 596->595 600 7ff6117ab88f-7ff6117ab891 596->600 617 7ff6117ab821-7ff6117ab837 call 7ff6117ab108 call 7ff6117ab0e8 597->617 618 7ff6117ab83c-7ff6117ab867 call 7ff6117abef8 597->618 600->595 605 7ff6117ab893-7ff6117ab8a9 600->605 605->595 610 7ff6117ab8ab-7ff6117ab8b7 605->610 608->609 615 7ff6117ab925-7ff6117ab937 GetConsoleMode 608->615 613 7ff6117ab997-7ff6117ab9b7 ReadFile 609->613 610->595 611 7ff6117ab8b9-7ff6117ab8bb 610->611 611->595 616 7ff6117ab8bd-7ff6117ab8d5 611->616 619 7ff6117abab1-7ff6117ababa GetLastError 613->619 620 7ff6117ab9bd-7ff6117ab9c5 613->620 615->609 622 7ff6117ab939-7ff6117ab941 615->622 616->595 624 7ff6117ab8d7-7ff6117ab8e3 616->624 617->621 618->592 629 7ff6117abad7-7ff6117abada 619->629 630 7ff6117ababc-7ff6117abad2 call 7ff6117ab108 call 7ff6117ab0e8 619->630 620->619 626 7ff6117ab9cb 620->626 623 7ff6117ab977-7ff6117ab981 call 7ff6117aa0e4 621->623 622->613 628 7ff6117ab943-7ff6117ab965 ReadConsoleW 622->628 623->577 624->595 632 7ff6117ab8e5-7ff6117ab8e7 624->632 636 7ff6117ab9d2-7ff6117ab9e7 626->636 638 7ff6117ab986-7ff6117ab990 628->638 639 7ff6117ab967 GetLastError 628->639 634 7ff6117abae0-7ff6117abae2 629->634 635 7ff6117ab96d-7ff6117ab96f call 7ff6117ab07c 629->635 630->621 632->595 643 7ff6117ab8e9-7ff6117ab8f9 632->643 634->623 635->621 636->623 645 7ff6117ab9e9-7ff6117ab9f4 636->645 638->636 639->635 643->595 649 7ff6117ab9f6-7ff6117aba0f call 7ff6117ab2e8 645->649 650 7ff6117aba1b-7ff6117aba23 645->650 656 7ff6117aba14-7ff6117aba16 649->656 653 7ff6117aba9f-7ff6117abaac call 7ff6117ab128 650->653 654 7ff6117aba25-7ff6117aba37 650->654 653->656 657 7ff6117aba92-7ff6117aba9a 654->657 658 7ff6117aba39 654->658 656->623 657->623 659 7ff6117aba3e-7ff6117aba45 658->659 661 7ff6117aba81-7ff6117aba8c 659->661 662 7ff6117aba47-7ff6117aba4b 659->662 661->657 663 7ff6117aba67 662->663 664 7ff6117aba4d-7ff6117aba54 662->664 666 7ff6117aba6d-7ff6117aba7d 663->666 664->663 665 7ff6117aba56-7ff6117aba5a 664->665 665->663 667 7ff6117aba5c-7ff6117aba65 665->667 666->659 668 7ff6117aba7f 666->668 667->666 668->657
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 516356d96cf40940481ead1f43cbac67c021cc9b8e5dc6dabb769548680b21bc
                                            • Instruction ID: cf103560c57645994348c8cee29478c094d9242e750a8d437430bedc28ea3a6d
                                            • Opcode Fuzzy Hash: 516356d96cf40940481ead1f43cbac67c021cc9b8e5dc6dabb769548680b21bc
                                            • Instruction Fuzzy Hash: D0C1B422A0CF8681E7609B15A4442BE3B58EB81FA0F5D4531DA4E837B3DF7DE54D8701
                                            Function 00007FF6117925A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,00007FF6117926F4), ref: 00007FF6117925D1
                                              • Part of subcall function 00007FF611791ED0: GetLastError.KERNEL32 ref: 00007FF611791EEC
                                              • Part of subcall function 00007FF611791ED0: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6117925EE,?,00007FF6117926F4), ref: 00007FF611791F56
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileFormatLastMessageModuleName
                                            • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                            • API String ID: 1234058594-2863816727
                                            • Opcode ID: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                            • Instruction ID: 99f61b79627a72bc72382063b2a74599e56bb51525ce45dc1ba603623d7d34a7
                                            • Opcode Fuzzy Hash: 3ab6da95184e74374fe48baec535fe5bf269d99fd8fb3e70c2c2714cf1ced2a1
                                            • Instruction Fuzzy Hash: 92217F61B08E4681EB20AB25E8653B92258AF48BB4F804135E55DC6BD7EE2CE50C8744
                                            Function 00007FF6117A5444 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1279662727-0
                                            • Opcode ID: 79491aa10e773e0c302c047c4418e2f379399a005a06daa6a5ce9d1c3ac76bcc
                                            • Instruction ID: e79d3c519e8dcae42a0a88f1af73160abda6149a9c0d7fac01341773e1fb7756
                                            • Opcode Fuzzy Hash: 79491aa10e773e0c302c047c4418e2f379399a005a06daa6a5ce9d1c3ac76bcc
                                            • Instruction Fuzzy Hash: 0841A422E18B4283E7509B20A5103796765FB95B74F149334EA9C83BE3DF6CE5E88700
                                            Function 00007FF61179E534 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 801 7ff61179e534-7ff61179e561 802 7ff61179e563-7ff61179e566 801->802 803 7ff61179e57d 801->803 802->803 804 7ff61179e568-7ff61179e56b 802->804 805 7ff61179e57f-7ff61179e593 803->805 806 7ff61179e594-7ff61179e597 804->806 807 7ff61179e56d-7ff61179e572 call 7ff6117ab108 804->807 809 7ff61179e5a7-7ff61179e5ab 806->809 810 7ff61179e599-7ff61179e5a5 806->810 819 7ff61179e578 call 7ff6117aa4a4 807->819 812 7ff61179e5bf-7ff61179e5c2 809->812 813 7ff61179e5ad-7ff61179e5b7 call 7ff6117ba5b0 809->813 810->809 814 7ff61179e5d2-7ff61179e5db 810->814 812->807 816 7ff61179e5c4-7ff61179e5d0 812->816 813->812 817 7ff61179e5e2 814->817 818 7ff61179e5dd-7ff61179e5e0 814->818 816->807 816->814 821 7ff61179e5e7-7ff61179e606 817->821 818->821 819->803 823 7ff61179e74d-7ff61179e750 821->823 824 7ff61179e60c-7ff61179e61a 821->824 823->805 825 7ff61179e692-7ff61179e697 824->825 826 7ff61179e61c-7ff61179e623 824->826 827 7ff61179e704-7ff61179e707 call 7ff6117abb20 825->827 828 7ff61179e699-7ff61179e6a5 825->828 826->825 829 7ff61179e625 826->829 836 7ff61179e70c-7ff61179e70f 827->836 833 7ff61179e6b1-7ff61179e6b7 828->833 834 7ff61179e6a7-7ff61179e6ae 828->834 831 7ff61179e778 829->831 832 7ff61179e62b-7ff61179e635 829->832 835 7ff61179e77d-7ff61179e788 831->835 837 7ff61179e755-7ff61179e759 832->837 838 7ff61179e63b-7ff61179e641 832->838 833->837 839 7ff61179e6bd-7ff61179e6da call 7ff6117aa004 call 7ff6117ab6d0 833->839 834->833 835->805 836->835 840 7ff61179e711-7ff61179e714 836->840 844 7ff61179e768-7ff61179e773 call 7ff6117ab108 837->844 845 7ff61179e75b-7ff61179e763 call 7ff6117ba5b0 837->845 841 7ff61179e643-7ff61179e646 838->841 842 7ff61179e679-7ff61179e68d 838->842 861 7ff61179e6df-7ff61179e6e1 839->861 840->837 848 7ff61179e716-7ff61179e72d 840->848 851 7ff61179e664-7ff61179e66f call 7ff6117ab108 call 7ff6117aa4a4 841->851 852 7ff61179e648-7ff61179e64e 841->852 849 7ff61179e734-7ff61179e73f 842->849 844->819 845->844 848->849 849->824 856 7ff61179e745 849->856 867 7ff61179e674 851->867 857 7ff61179e650-7ff61179e658 call 7ff6117b9f10 852->857 858 7ff61179e65a-7ff61179e65f call 7ff6117ba5b0 852->858 856->823 857->867 858->851 864 7ff61179e6e7 861->864 865 7ff61179e78d-7ff61179e792 861->865 864->831 868 7ff61179e6ed-7ff61179e702 864->868 865->835 867->842 868->849
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                            • Instruction ID: cf0534db0d2d4235c9d850d13458c1a17df7d40f00897a229592b51170b1f7ca
                                            • Opcode Fuzzy Hash: 16af8936fa4a8cfb084170ab3fdfe968383d28d333c1f7fec82ea00825d56c1b
                                            • Instruction Fuzzy Hash: 1051F861B09A6A46FB289E25981067E6699BF44FB4F184B30DE6D837D7EF3CD40C8701
                                            Function 00007FF61179B09C Relevance: 3.1, APIs: 2, Instructions: 102COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                            • String ID:
                                            • API String ID: 1236291503-0
                                            • Opcode ID: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                            • Instruction ID: 9c5bd651f714819030cd3746cbc398fb55f93c538708a1c532016b570965faa0
                                            • Opcode Fuzzy Hash: 6551513a98c324d7d7ba12c955d8146a8b4f51f5bb9c93bdc58fe40068057fbf
                                            • Instruction Fuzzy Hash: 03311A21A4DE0A82FB14AB65E4217B91399AF45FB4FD44035E90ECB7E7DE2DE40CC640
                                            Function 00007FF6117AC08C Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                            • Instruction ID: eaf18b6ef6752fb9a8daa79c4d72f05f8da79ee893d578b4216f7ac94039a59f
                                            • Opcode Fuzzy Hash: 0f9b56d894b59bf5b7e8383ca5e0cbe51dcfa835e806d662f5735474265d4d92
                                            • Instruction Fuzzy Hash: 56319E62A18F46A1EB608B14E9901793658FB45FB0F680329DB6E973F1CF38F4A5D301
                                            Function 00007FF6117AA6E0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNEL32(?,?,?,00007FF6117AA55D,?,?,00000000,00007FF6117AA612), ref: 00007FF6117AA74E
                                            • GetLastError.KERNEL32(?,?,?,00007FF6117AA55D,?,?,00000000,00007FF6117AA612), ref: 00007FF6117AA758
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ChangeCloseErrorFindLastNotification
                                            • String ID:
                                            • API String ID: 1687624791-0
                                            • Opcode ID: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                            • Instruction ID: 8d4179cf2cb72e7a2f3328137540083bee83b517fdf98b64bbaf4b06803da31e
                                            • Opcode Fuzzy Hash: fa9ac4c151c8ebe2f15a9508e0179b12dcacbbb1569cdd32a455063ae332efe8
                                            • Instruction Fuzzy Hash: FA215021F0CE4241EB90A761B4942BA5AA99F84FB0F084235DA2F877E3DE6CE4494301
                                            Function 00007FF6117ABDA8 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6117ABD94,?,?,?,00000000,?,00007FF6117ABE9D), ref: 00007FF6117ABDF4
                                            • GetLastError.KERNEL32(?,?,?,?,?,00007FF6117ABD94,?,?,?,00000000,?,00007FF6117ABE9D), ref: 00007FF6117ABDFE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID:
                                            • API String ID: 2976181284-0
                                            • Opcode ID: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                            • Instruction ID: ce1ba42b1efaed16f548e38d6514df8be39c88311f7c82063320164438bb8a2f
                                            • Opcode Fuzzy Hash: ede5fc4d7b12468b8e87ad72fb039376ac055e7d4bec884aeb090efb761c461e
                                            • Instruction Fuzzy Hash: 3711C162A0CE8181DB208B25B84417A6369AB85FF4F584731EE7D8B7EADF3CD0598740
                                            Function 00007FF6117ABB20 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: bd077d8a5a7c03cd002072d8ca953402e38cbe5d3df466adb21d87e7869545d0
                                            • Instruction ID: 551640ba723c9955a3756ed534cddf90defe97d323014fbec012bece94605f18
                                            • Opcode Fuzzy Hash: bd077d8a5a7c03cd002072d8ca953402e38cbe5d3df466adb21d87e7869545d0
                                            • Instruction Fuzzy Hash: 2141E332908A0583EB349B18F55027977A8FB56FA0F180530DB9EC37A6CF2DE80AC751
                                            Function 00007FF611796870 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _fread_nolock
                                            • String ID:
                                            • API String ID: 840049012-0
                                            • Opcode ID: 49b96a3ba6a8911944b034d5ee0b3e05ef9960caf16129d0ab8af012b69f0f6b
                                            • Instruction ID: 50de8ce28ea7a25f4f66d0f88a0f9beb8f4a337f0a5bc84d5efc4076128e9cb5
                                            • Opcode Fuzzy Hash: 49b96a3ba6a8911944b034d5ee0b3e05ef9960caf16129d0ab8af012b69f0f6b
                                            • Instruction Fuzzy Hash: 9821D321B08A9645FB10AB2264143FA9659BF45FF4F8C4534EE0D8B787CE3DE14DC200
                                            Function 00007FF6117AB5B0 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                            • Instruction ID: b3900b049be304d7e73983d1e26625a8bc3bb34f5bb764071f5004406e4b57b9
                                            • Opcode Fuzzy Hash: 03a38d327754cf904243aec50eb766fa9dc5ae6cf5c4f94ce4342806ccce901e
                                            • Instruction Fuzzy Hash: 96318F22A1CE1686F7116B55E84137D2A58AF80FB0F590935E92D837E3CF7CE4498711
                                            Function 00007FF6117A5DB4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                            • Instruction ID: 2a3ba547fc51e3e1f1fd8d76f4a03ee77d2d6e96dd6e9863eb976c022d6ece05
                                            • Opcode Fuzzy Hash: f30853ad75514671e950d83128d7baef55a0632a96fda8d571026010811b12de
                                            • Instruction Fuzzy Hash: 9A115121A1CA4281EB61AF11F44427DA668FF85FA0F5C4431EB8D97BA7DF3CE4858781
                                            Function 00007FF6117B643C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                            • Instruction ID: 11f1822871c6d9121e44dc8d1dac765c409d53ca6b795ab560f8f2c09dbcbd4e
                                            • Opcode Fuzzy Hash: 43c547841bdc5efa225ed36a7927e0e9c3599d8d1a01592de04ca1d2ac77ad37
                                            • Instruction Fuzzy Hash: F2216232A18E4186DB618F18E44037976A5EB84F64F188234EB5DC77DBDF3DD5088B04
                                            Function 00007FF61179E7B4 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3215553584-0
                                            • Opcode ID: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                            • Instruction ID: 64405c6d7be915c4b88b4459c3ba5334495e84ec596a5c5bd31062f8729d68f9
                                            • Opcode Fuzzy Hash: e49820b8979c690efdc8f417affac154591ffe1afff9525a5d7d63ed5cda887b
                                            • Instruction Fuzzy Hash: B901C821A08F5641EB04DB52A900179A699BF85FF0F4C9A30EE6C97BD7DF3CE4098700
                                            Function 00007FF6117AD444 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF6117AD3AD,?,?,?,00007FF6117A105F), ref: 00007FF6117AD482
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                            • Instruction ID: f2c236e4cb4a7a1e02ca02a66d2b25025ecc3268af9ef1a53c24b3f97d79a2bf
                                            • Opcode Fuzzy Hash: 518377c8398ba572112478f17d195ad13ea908693e0d1cf717003d4179de8268
                                            • Instruction Fuzzy Hash: 28F0F850A0DA4786FF6466A2A8412BD11895F84FB1F4C4630ED2EC63E3EE2CF4884210
                                            Function 00007FF61179B27C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF61179B290
                                              • Part of subcall function 00007FF61179BCB8: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF61179BCC0
                                              • Part of subcall function 00007FF61179BCB8: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF61179BCC5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                            • String ID:
                                            • API String ID: 1208906642-0
                                            • Opcode ID: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                            • Instruction ID: e449bb762b5670a7a76f030b891cdd14183b7ae4e12a5d88fd0610cfa0fbc11f
                                            • Opcode Fuzzy Hash: e406b6a13abdc1de8099012e77fa9b1984323fd7cc8c2502f81400eb426856bf
                                            • Instruction Fuzzy Hash: 88E0B614D0DA5B40FF942661116AABC134C5F62F75FD004B9E40EE37C3AE0E605E2221
                                            Function 00007FF6117973D0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF611797800: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6117931D4,00000000,00007FF611791905), ref: 00007FF611797839
                                            • LoadLibraryW.KERNEL32(?,00007FF611794E66,?,00007FF61179224E), ref: 00007FF6117973F2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ByteCharLibraryLoadMultiWide
                                            • String ID:
                                            • API String ID: 2592636585-0
                                            • Opcode ID: 15f0be4aad116f42736778785203f88fcbfcc21c744cf760da9a9eef582cb178
                                            • Instruction ID: 91788675619686b9b92e8d922c94bda6baf33e797ff0432c95bdda7366e328fa
                                            • Opcode Fuzzy Hash: 15f0be4aad116f42736778785203f88fcbfcc21c744cf760da9a9eef582cb178
                                            • Instruction Fuzzy Hash: 6FD0C201F28A8541EB54A7ABBA4657991A59F89FE0F4CC035EE0D47B57DC3CC0894B04

                                            Non-executed Functions

                                            Function 00007FFE004C10A5 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 276COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error$O_freeO_zalloc
                                            • String ID: ..\s\ssl\ssl_cert.c$gfffffff$~
                                            • API String ID: 3565116557-3298543876
                                            • Opcode ID: 76f7141b49d61b3174be882cd41a8d63105c68d1a4b876455aee3649432aacb5
                                            • Instruction ID: 57cee1e40d930b0493df646b5f6c4124b8c33e61c917f30e272fb955134a5daa
                                            • Opcode Fuzzy Hash: 76f7141b49d61b3174be882cd41a8d63105c68d1a4b876455aee3649432aacb5
                                            • Instruction Fuzzy Hash: 2CD15832B09B8696EA68DB65E4902FD63A0FF45B84F004536DB9D477AADF3CE161C340
                                            Function 00007FFE004C125D Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$L_sk_pop_free$L_sk_free$O_free_allX_free$D_lock_freeM_freeO_popT_freeX509_free
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 2505111139-1080266419
                                            • Opcode ID: 0fff6dc52b15ecc040132e5503cfbcdccf6df7f02e8e5db59774f1e3c3e8345c
                                            • Instruction ID: 6b6b0f7da58eb222b2829987006cd69c0af46ee819fe10d714fb93f010847f10
                                            • Opcode Fuzzy Hash: 0fff6dc52b15ecc040132e5503cfbcdccf6df7f02e8e5db59774f1e3c3e8345c
                                            • Instruction Fuzzy Hash: 6781F365A09A4280FB60BF66C8917FC2321EFA6B98F444032DB0D4B3BFDE6CE5458750
                                            Function 00007FFE004C210D Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 334COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X_free
                                            • String ID: ..\s\ssl\t1_lib.c
                                            • API String ID: 2268491255-1643863364
                                            • Opcode ID: 6926b191199e8d7af481d92196205afdf74414b60542728c5ad218b6246a3237
                                            • Instruction ID: 838c3116995b8bc6e47702c16593f4abef61e9ed1eca80ed898310abf4a14e67
                                            • Opcode Fuzzy Hash: 6926b191199e8d7af481d92196205afdf74414b60542728c5ad218b6246a3237
                                            • Instruction Fuzzy Hash: 25D1C022B0A68286FA74DBD698843BD6390FF66B88F440435DF4E477AADF7CE5458700
                                            Function 00007FFE004C2239 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 296COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$O_ctrlO_newO_s_fileR_put_error
                                            • String ID: ..\s\ssl\ssl_rsa.c
                                            • API String ID: 775051240-2723262194
                                            • Opcode ID: 65d5f323324ca8325181e7ee844adb7d5620367016c349f212886db2467c8429
                                            • Instruction ID: 9c1445d5a3d85db8668873f3750226751333f4bd8636cd8c158646ef2d1310b5
                                            • Opcode Fuzzy Hash: 65d5f323324ca8325181e7ee844adb7d5620367016c349f212886db2467c8429
                                            • Instruction Fuzzy Hash: 8AC1F162B186929AFB20CB65D4102FC67A1EF85789F404135DF4E67BAEDF3CE6028704
                                            Function 00007FFE004C2176 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 214COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_freeX_freeX_new
                                            • String ID: ..\s\ssl\statem\statem_lib.c
                                            • API String ID: 419883019-2839845709
                                            • Opcode ID: 996f4dcc4073e4494cc3207c1c73803027fb5d45eb1149080d138e4d2b486917
                                            • Instruction ID: 44bb1f3c56335288f19f2e3c6b5fc923993d33480fcbc49dbae758960c6e8271
                                            • Opcode Fuzzy Hash: 996f4dcc4073e4494cc3207c1c73803027fb5d45eb1149080d138e4d2b486917
                                            • Instruction Fuzzy Hash: A5915F32A0CA8281FA709A16A5517FA6792EFC5BD8F544031EF4D4BBADEF7CD5418B00
                                            Function 00007FFE004C1249 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 209COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_read_lockD_unlockR_put_error$D_lock_freeD_lock_newO_freeO_zalloc_time64memcpymemset
                                            • String ID: $..\s\ssl\ssl_sess.c$T
                                            • API String ID: 2901958711-2024727245
                                            • Opcode ID: 7db9538a63387d73a2c364b0f93c0cdf62358132f4e246fa6e0eb5851c35c33c
                                            • Instruction ID: 2a061f516eae57bfa384ee21c7c9888ff493fb28a2e1135806614dc20d6fb51e
                                            • Opcode Fuzzy Hash: 7db9538a63387d73a2c364b0f93c0cdf62358132f4e246fa6e0eb5851c35c33c
                                            • Instruction Fuzzy Hash: 1EA16B32B08A8286E764DB61D5447FE77A0FB84B89F044036DB0D5B7A9DF3CE9558B04
                                            Function 00007FFE004C1104 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$E_freeX509_Y_free$D_lock_freeL_sk_pop_freeX509_free
                                            • String ID: ..\s\ssl\ssl_cert.c
                                            • API String ID: 3478116879-349359282
                                            • Opcode ID: 75c7d3103779dfb338be5e12563824facac1a8259e613e1dfe7529728fecb23f
                                            • Instruction ID: 70621b692431579658629a2547126f6d2acf7ee38c933a5a8b40b116296f5fdc
                                            • Opcode Fuzzy Hash: 75c7d3103779dfb338be5e12563824facac1a8259e613e1dfe7529728fecb23f
                                            • Instruction Fuzzy Hash: 71316932B08B8699EB64AF65D4807BC6321FF86B84F044032EB5D477AECF29E561C740
                                            Function 00007FFDFB134462 Relevance: 21.2, APIs: 14, Instructions: 246fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_errno$FileFind$ErrorFirstLastNextfreemallocmemset
                                            • String ID:
                                            • API String ID: 3372420414-0
                                            • Opcode ID: 81ab26afdb51e0cf424030d5a2e0c3388f2a182ffeb5864ed46beb4b9d74ccd7
                                            • Instruction ID: 71bf26b4c7c5a35ce63207850bcab368ea11cf9bacfeaeb9f4ef03e650e1b931
                                            • Opcode Fuzzy Hash: 81ab26afdb51e0cf424030d5a2e0c3388f2a182ffeb5864ed46beb4b9d74ccd7
                                            • Instruction Fuzzy Hash: 93B1A362B1AA8385EB108F29D964A7967A1FF45BE4F445731DA7D837E9EF3CD0428300
                                            Function 00007FFDFB134999 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 169COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: EnvironmentVariable$ByteCharMultiWide
                                            • String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
                                            • API String ID: 2184640988-1666712896
                                            • Opcode ID: f252d246e0628b85fad7a304df18a17be3071f7ca227f1d93e0c6488fa4f7ff8
                                            • Instruction ID: 4a84a2faeebeb303afbf9dc30002618c124da30054b7e079c678b784562c9847
                                            • Opcode Fuzzy Hash: f252d246e0628b85fad7a304df18a17be3071f7ca227f1d93e0c6488fa4f7ff8
                                            • Instruction Fuzzy Hash: 9161D622B0ABC396EB158F2599605796BE1FB45BB8B484231DE7D837E8DF3DE5058300
                                            Function 00007FFE004D7290 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$O_clear_freeY_free$L_sk_pop_free
                                            • String ID: ..\s\ssl\s3_lib.c
                                            • API String ID: 4158004652-4238427508
                                            • Opcode ID: bcc3b54a3c6572bb54fba9e7ce9bb7e229e7515c930e93364a30d4414f0d2938
                                            • Instruction ID: a3126721c87c00cd1e7bf40557d0896f957dd409c1bc5d8467ddbe75a94aff2f
                                            • Opcode Fuzzy Hash: bcc3b54a3c6572bb54fba9e7ce9bb7e229e7515c930e93364a30d4414f0d2938
                                            • Instruction Fuzzy Hash: 1541D666B05A8294EB50EF56D495BF82321FF86F88F484432DF4D4B37ACF69E14A8311
                                            Function 00007FFE004C2063 Relevance: 21.0, APIs: 11, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: N_free$O_free$memset
                                            • String ID: ..\s\ssl\tls_srp.c
                                            • API String ID: 2671087460-1778748169
                                            • Opcode ID: 9fd1be983f98bb92c0fb388c635512f8d6e54a56b0ca00f46d5843d0a63172d5
                                            • Instruction ID: 3746f9f15b20bae3d215974043b4aa2628515f6650fbecfa6a23293b02672409
                                            • Opcode Fuzzy Hash: 9fd1be983f98bb92c0fb388c635512f8d6e54a56b0ca00f46d5843d0a63172d5
                                            • Instruction Fuzzy Hash: 9011EC32B0558282EB65FFA5C8512FC1755EF96B48F440031EB0D4B7ABDE19E6828310
                                            Function 00007FFE004C207C Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 316COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$D_sizeDigestO_mallocP_sha256_time64
                                            • String ID: ..\s\ssl\statem\statem_clnt.c$o$resumption
                                            • API String ID: 1034084170-2120662796
                                            • Opcode ID: b6babdd52f2f8d8584176ba767a9366aaff69b792b8bbe612b0c8a06bd4c6928
                                            • Instruction ID: 5a5631acd56a53734e5190a9748c3f9d2c57feef4f6aaa161171450fcaee5df2
                                            • Opcode Fuzzy Hash: b6babdd52f2f8d8584176ba767a9366aaff69b792b8bbe612b0c8a06bd4c6928
                                            • Instruction Fuzzy Hash: 0CE19D3260868185EB70CF96E4847AD7BA1FB89B88F148135DB8D877A9CF7DE641C710
                                            Function 00007FFE004D9040 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$N1_item_free$O_strndupR_put_errorX509_free_time64memcpy
                                            • String ID: ..\s\ssl\ssl_asn1.c
                                            • API String ID: 3498103060-3659835543
                                            • Opcode ID: 7e7d3a42c9b02347176a37bfccebe9c3884c758c242b50cb4785e4a81089b42f
                                            • Instruction ID: e40787adbbfbe06d35f57b0cf330acd21728c6c65e56332ddb4476f669afdee9
                                            • Opcode Fuzzy Hash: 7e7d3a42c9b02347176a37bfccebe9c3884c758c242b50cb4785e4a81089b42f
                                            • Instruction Fuzzy Hash: 49C12B32709B8696EB659F25D4942BC33A0FB48B84F084036DF8D8B7A9DF38E955C314
                                            Function 00007FFE004C1208 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 349COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_freememcpy$O_zalloc
                                            • String ID: ..\s\ssl\statem\statem_srvr.c
                                            • API String ID: 150470908-348624464
                                            • Opcode ID: d8780885958c424de315e61cb76c4964b4c11c0232c0f5bd013b5ec686e00f4b
                                            • Instruction ID: 572c71ab45caa243b60f2084644ba55bfa39902e335d18a658533526ca08a759
                                            • Opcode Fuzzy Hash: d8780885958c424de315e61cb76c4964b4c11c0232c0f5bd013b5ec686e00f4b
                                            • Instruction Fuzzy Hash: 42F1CD32A09A8282EB70CB51E4447BE77A1EB56B84F509135DB9D07BEACF7CE191C700
                                            Function 00007FFE00512110 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 314COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$X_free$memcpymemset
                                            • String ID: ..\s\ssl\statem\statem_dtls.c
                                            • API String ID: 1378287987-3140652063
                                            • Opcode ID: f1f9bec63866d6efdf1fb5e7ca1a043afb92025ba432347567d49be170ba4ba4
                                            • Instruction ID: 7268ada3e7587ea6d12b2554966daabfe3f0c9b20243a67971af4db95e9e2fe4
                                            • Opcode Fuzzy Hash: f1f9bec63866d6efdf1fb5e7ca1a043afb92025ba432347567d49be170ba4ba4
                                            • Instruction Fuzzy Hash: 55E18A72B086819AEB649B21D5503FD37A2FB45B88F044035EB8D4BBA9DF3CE5A5C300
                                            Function 00007FFE0050A190 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $..\s\ssl\statem\statem_clnt.c
                                            • API String ID: 0-745226041
                                            • Opcode ID: a48fb5177551bd03bcd8f605705c4502703712c1780d75e44904df321cea5d10
                                            • Instruction ID: 3bf85bb737d688fd699b685e88c7385c7e5e1add7507afa7f5ade349227fca48
                                            • Opcode Fuzzy Hash: a48fb5177551bd03bcd8f605705c4502703712c1780d75e44904df321cea5d10
                                            • Instruction Fuzzy Hash: CA819E75B0878246FAB4AB52E4147BE2255EF95BC4F004031EF8E4BBAEDF6DE6058701
                                            Function 00007FFE004EC0F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_zalloc$J_nid2snP_get_digestbyname
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 4284552970-1080266419
                                            • Opcode ID: a0346553b6f201cc896888fb512db2eab44c67314ecb4c880cef8ce3580fddd2
                                            • Instruction ID: 03a8e898b6a95543f6acfb12b0405d8d4e0a779b277685a2003db77c24a51834
                                            • Opcode Fuzzy Hash: a0346553b6f201cc896888fb512db2eab44c67314ecb4c880cef8ce3580fddd2
                                            • Instruction Fuzzy Hash: 7A31A026B09B9186FB259B65E4403A9B7A0EF45790F840135EB8C07BAFDF7DE552CB00
                                            Function 00007FFE004C2243 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_zalloc$J_nid2snP_get_digestbyname
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 4284552970-1080266419
                                            • Opcode ID: d7fb44cae0621a732ada2bf32e276cde04d11f2e708b474297f2c882ac0db4ce
                                            • Instruction ID: 582aff4b6f52c84563a10f28469e07905cae962b433b64c98126e53c4fcaa151
                                            • Opcode Fuzzy Hash: d7fb44cae0621a732ada2bf32e276cde04d11f2e708b474297f2c882ac0db4ce
                                            • Instruction Fuzzy Hash: 3E31CC26A09B9186FB259B65A4403F967A0EF45790F480039EB8D07BBEDF7EE591C700
                                            Function 00007FFE004C12E4 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 232COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_bytesD_sizeO_freeO_memdup_time64
                                            • String ID: ..\s\ssl\statem\statem_srvr.c$resumption
                                            • API String ID: 2587329016-332775882
                                            • Opcode ID: b003dc4c33553e95276c4b0dbb686c59c98d5eb42e1050d8f3747c08a23518bf
                                            • Instruction ID: 9cb8f284c269e381ac8e97996d016ea9b2ee0588345d6793fa56672abd6b38bf
                                            • Opcode Fuzzy Hash: b003dc4c33553e95276c4b0dbb686c59c98d5eb42e1050d8f3747c08a23518bf
                                            • Instruction Fuzzy Hash: 64B1423260878185F760DB56D8847EE67A1EB85B98F080036EF8D4B7A9CF7CD485C710
                                            Function 00007FFE004C212B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memcpy$O_memcmpX_copy_exX_new
                                            • String ID: ..\s\ssl\statem\statem_lib.c$O
                                            • API String ID: 941845511-1434326050
                                            • Opcode ID: 45845634fb582d2fc1932d460ff5e7b337703ea36fbc1edfa495aa06c6adaf33
                                            • Instruction ID: 30848a9127ff30a68c7b293ddf88b872744b79a37597aaccb367a8d63c9f22b0
                                            • Opcode Fuzzy Hash: 45845634fb582d2fc1932d460ff5e7b337703ea36fbc1edfa495aa06c6adaf33
                                            • Instruction Fuzzy Hash: 10816C32B0864286EBB08F15E4447EE27A6EB45B88F184235DB4D4B7ADCF7DE985C701
                                            Function 00007FF611796B80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                            • String ID: %s\*
                                            • API String ID: 1057558799-766152087
                                            • Opcode ID: b1bbed1cfb60f4f0fc8f81c34b93851b936e7686d1867c24e24cc6b5744ead1d
                                            • Instruction ID: c94e6090ebff7353e381660c0c1be7244eeeb050d5dee4451318aa54a428352b
                                            • Opcode Fuzzy Hash: b1bbed1cfb60f4f0fc8f81c34b93851b936e7686d1867c24e24cc6b5744ead1d
                                            • Instruction Fuzzy Hash: 41412D21A0CE8685EB209B25E4641B96268FB95FB4F504732F95DC3796EF2CE54DC600
                                            Function 00007FFDFB133EA4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 280COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Fiber$ErrorLastSwitch$CreateValuememmove
                                            • String ID: *$..\s\crypto\async\async.c
                                            • API String ID: 3019965278-1471988776
                                            • Opcode ID: 38cc19c998566899ee473bfa48192cd0b1a1b28a90ee13bd2b04ba166f3ad9c2
                                            • Instruction ID: 1865e777cc8ed7815df5cb3aabdf46075316fa90fabd26817f3154cda1fbd141
                                            • Opcode Fuzzy Hash: 38cc19c998566899ee473bfa48192cd0b1a1b28a90ee13bd2b04ba166f3ad9c2
                                            • Instruction Fuzzy Hash: 98C16C72B0AB4386EB20EB22E4609A977A0FF44B48F544435EA6D477E9EF3CE555C340
                                            Function 00007FFE004C1230 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_unlockH_retrieve_time64memcmpmemcpy
                                            • String ID: ..\s\ssl\ssl_sess.c
                                            • API String ID: 3305741012-2868363209
                                            • Opcode ID: ed0f6a6d18fa1800434435565cc372f61cc53b61c20e5140267d3990fd8acc98
                                            • Instruction ID: 7ff601ad999e0e9d3ca3d2eeae27b58974a91af7ba764471f31d5204160d55ae
                                            • Opcode Fuzzy Hash: ed0f6a6d18fa1800434435565cc372f61cc53b61c20e5140267d3990fd8acc98
                                            • Instruction Fuzzy Hash: 91C1AD36A08B8286EBA4DB25D5447BA23A0FB85B99F040135DF4D577ACDF7DE881CB04
                                            Function 00007FFE004C22C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error$O_freeO_malloc
                                            • String ID: ..\s\ssl\t1_lib.c
                                            • API String ID: 3400298158-1643863364
                                            • Opcode ID: f0cf93b09e447f6428ab2f64b48095b8aced8c80aae18c428f7130c0d8c52cf1
                                            • Instruction ID: 403abb2ba1d3500e43ebd8f4a5b82068a21f5ebb15a0ad1810debe1569e0f53b
                                            • Opcode Fuzzy Hash: f0cf93b09e447f6428ab2f64b48095b8aced8c80aae18c428f7130c0d8c52cf1
                                            • Instruction Fuzzy Hash: 9331AE36A0C69296EA20CB91A8002FAA364FF6A784F444531EB5D07BADDFBCE501C700
                                            Function 00007FF61179B59C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                            • Instruction ID: 13ee962daea96be3ac84bc0a060770c9a3cfe21c7c16a8967b5d7300835f52e2
                                            • Opcode Fuzzy Hash: dec8059712e99081e2e259c55c2c48a2db8476306f1af611de12d5d4c368715b
                                            • Instruction Fuzzy Hash: D5312F72608F858AEB609F60E8947F97368FB84B54F44403ADA4E87B95EF38D54CC714
                                            Function 00007FF6117B5B00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5B45
                                              • Part of subcall function 00007FF6117B5498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B54AC
                                              • Part of subcall function 00007FF6117AA0E4: HeapFree.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                              • Part of subcall function 00007FF6117AA0E4: GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                              • Part of subcall function 00007FF6117AA4C4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6117AA4A3,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AA4CD
                                              • Part of subcall function 00007FF6117AA4C4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6117AA4A3,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AA4F2
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5B34
                                              • Part of subcall function 00007FF6117B54F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B550C
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DAA
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DBB
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DCC
                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6117B600C), ref: 00007FF6117B5DF3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                            • String ID:
                                            • API String ID: 4070488512-0
                                            • Opcode ID: 656f46ad94b1de9c6b7be9e0428065307f6ee6306168047b2f363e6a295c7c06
                                            • Instruction ID: 96b3fcb23e76d20984a08f1c0ed25d08e94c780c8d78f7309438d2e8c3c06195
                                            • Opcode Fuzzy Hash: 656f46ad94b1de9c6b7be9e0428065307f6ee6306168047b2f363e6a295c7c06
                                            • Instruction Fuzzy Hash: 0DD1C222A18A4286EB20EF26D4811B96769FF84FA4F84C135EA4DC7797DF3CE4498744
                                            Function 00007FF6117AA1D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                            • String ID:
                                            • API String ID: 1239891234-0
                                            • Opcode ID: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                            • Instruction ID: d0c644f1894186fa76ebd312468eef9b1ef65900a65407290f8400d494bee9d4
                                            • Opcode Fuzzy Hash: 18bd89ddc904fac5e08f82f97f687fabcb8e5781267cf91c135aead5cf591e4d
                                            • Instruction Fuzzy Hash: 81315336618F8585DB60DF25E8402AE73A8FB88B64F544135EA8D83B96DF3CD559CB00
                                            Function 00007FFE004C2144 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_bytesO_freeO_malloc
                                            • String ID: $..\s\ssl\statem\statem_srvr.c
                                            • API String ID: 693915670-1632442243
                                            • Opcode ID: 961c0467bdc0d2aee13f39ffa767b1ea63875842b84ba719e76f8c214294a808
                                            • Instruction ID: 2e337712f90ac72cb68b497b6a4e31dda7743abc918f523492a8e6cf12857b39
                                            • Opcode Fuzzy Hash: 961c0467bdc0d2aee13f39ffa767b1ea63875842b84ba719e76f8c214294a808
                                            • Instruction Fuzzy Hash: ED513B21B0C24241FBA09B12A9117FA6696EF85BC8F184435EF4D4BBFEDF6DE4418711
                                            Function 00007FFE004C2130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_reallocR_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 1389097454-1080266419
                                            • Opcode ID: 1f0b728b7d6bea3a458ab10cb8bb13d2af17303fd6a5e5c8f59a80ecefb35241
                                            • Instruction ID: 4a60e4cf836257b55343ce05f0ddc1c4725fae6389fbd93c7179d934dc23d3d0
                                            • Opcode Fuzzy Hash: 1f0b728b7d6bea3a458ab10cb8bb13d2af17303fd6a5e5c8f59a80ecefb35241
                                            • Instruction Fuzzy Hash: F2412372709B8192E626DB25A8006F977A4FB84798F440131EF9D037B9DF3DE196D704
                                            Function 00007FFE004EC380 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_reallocR_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 1389097454-1080266419
                                            • Opcode ID: 955bd85fdc451f8d8e9c6f92e76b897e1d8635ce8506f57490ca9bb3c3adf140
                                            • Instruction ID: 418988ef3e768c1e10b7116d16ae3fc04a0ef64f90e4373b7bb037ebd938c33d
                                            • Opcode Fuzzy Hash: 955bd85fdc451f8d8e9c6f92e76b897e1d8635ce8506f57490ca9bb3c3adf140
                                            • Instruction Fuzzy Hash: 6731EE72609B8286EB21DB25E8406B977A0FB45B98F844531EF8D077ADEF3CE052D700
                                            Function 00007FFE005263A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$O_mallocR_put_error
                                            • String ID: ..\s\ssl\t1_lib.c
                                            • API String ID: 2563039504-1643863364
                                            • Opcode ID: 509e1fdc593bd32722d73512d70e664d77ad18ea37a59c9807bf0dc696ef9fbb
                                            • Instruction ID: b03adb075f1aec3b9582c9067bd045e86a9e034f1c9a72163c02a496f1c4e401
                                            • Opcode Fuzzy Hash: 509e1fdc593bd32722d73512d70e664d77ad18ea37a59c9807bf0dc696ef9fbb
                                            • Instruction Fuzzy Hash: 2431A232619B8282EB20DF51E0502B977A4EF96B84F484432DB9C07BA9DF7DE565C740
                                            Function 00007FF6117B1674 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2227656907-0
                                            • Opcode ID: dcffd9b8628d742c69489f875bc55e6d9247fa9d8bf2a4278b728192fca35700
                                            • Instruction ID: 1013f18bdf25e4085c083f0e9f841273715b95ac290a8a87be7eb8085173843b
                                            • Opcode Fuzzy Hash: dcffd9b8628d742c69489f875bc55e6d9247fa9d8bf2a4278b728192fca35700
                                            • Instruction Fuzzy Hash: F3B1C522B18E9681EB619B21F5042B96399FB44FF4F448131EA5D87BD6EF3CE449C304
                                            Function 00007FFE004C109B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_memdup$O_free
                                            • String ID: ..\s\ssl\statem\statem_srvr.c
                                            • API String ID: 2280451731-348624464
                                            • Opcode ID: 9e465afa6d545f29c1494c4dc766bfed5f3260f1387bed8ad636692f894afb42
                                            • Instruction ID: 8d9ecb3d12a48b9c3a1e7e1c6a6cbfc06b64c77a31bd903041189aa93bb25c98
                                            • Opcode Fuzzy Hash: 9e465afa6d545f29c1494c4dc766bfed5f3260f1387bed8ad636692f894afb42
                                            • Instruction Fuzzy Hash: F9518C72609A8181E7A09F15E4846BE77A1FB85B98F184431EF8C4B7A8CF7CD582CB50
                                            Function 00007FFE004C2301 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_freeO_memdup
                                            • String ID: ..\s\ssl\statem\extensions_clnt.c$c:\a\6\s\ssl\packet_locl.h
                                            • API String ID: 3962629258-2027938492
                                            • Opcode ID: 4fe109ea4585c0377ab0fcd382a43bf0e29c7606b01a3688e16fd18f8abbc581
                                            • Instruction ID: d97c898fa132b70a5b6815abfd924790c4fc8a454607e6507dd75ec6577fe546
                                            • Opcode Fuzzy Hash: 4fe109ea4585c0377ab0fcd382a43bf0e29c7606b01a3688e16fd18f8abbc581
                                            • Instruction Fuzzy Hash: 4031C932B1DB8142EB548B14F5402A9B790FB49794F444235F79D17BA9EF3CE1A18704
                                            Function 00007FFE004C22B1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_freeO_strdupR_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 626504629-1080266419
                                            • Opcode ID: cd42864ef3c11886546f96278c311ba3807531a0a852a535b8444d6b8c012e48
                                            • Instruction ID: e30621efb746aa23bede17871f558adeaf282aa917689e36df9933787a50554f
                                            • Opcode Fuzzy Hash: cd42864ef3c11886546f96278c311ba3807531a0a852a535b8444d6b8c012e48
                                            • Instruction Fuzzy Hash: D121BEA6F18B8285FB90CB25E4403F823A0EB44B98F584431DB9C8B7BADF2CD5D18704
                                            Function 00007FFE004EF0E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$Y_free
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 3642664693-1080266419
                                            • Opcode ID: ce9703af266970d1115a288c8e1b4399d4376257c1e41b3e75d58a3a074935f9
                                            • Instruction ID: 623f943f7fabd65f1ad306dcb2437511695787dfcf443f8c3debd466594db5cd
                                            • Opcode Fuzzy Hash: ce9703af266970d1115a288c8e1b4399d4376257c1e41b3e75d58a3a074935f9
                                            • Instruction Fuzzy Hash: C1E04F59F0664281FA65AB92D8517F423209F5AB94F445031EE0D4B7FFDF1CE5828701
                                            Function 00007FFDFB137338 Relevance: 6.4, APIs: 5, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmove$memset
                                            • String ID:
                                            • API String ID: 3790616698-0
                                            • Opcode ID: 80b35eb6a747eb7a0b455ff1d8a9a195d5f46177e364a343d2ad3682b5e7211a
                                            • Instruction ID: 27fdd9ceeafefc1544f0b427825910cbf2f8e9ca039304eb2dbb941587d6278a
                                            • Opcode Fuzzy Hash: 80b35eb6a747eb7a0b455ff1d8a9a195d5f46177e364a343d2ad3682b5e7211a
                                            • Instruction Fuzzy Hash: 89510372B1AB8686DB10DB15E45066FBBA0FB49BA4F444235EEAD43BE9CE3CD101C740
                                            Function 00007FFDFB133805 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 304COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmovememset
                                            • String ID: ..\s\crypto\rsa\rsa_oaep.c$W
                                            • API String ID: 1288253900-622388702
                                            • Opcode ID: a91cb09a2902b0daf17fd4e703e40a71a2d83946a4fdf8ed1b728444276cea72
                                            • Instruction ID: 1c9f844c4daf0c6c7237c9953abacf5d2183b86d61c6c14836781267d7821b01
                                            • Opcode Fuzzy Hash: a91cb09a2902b0daf17fd4e703e40a71a2d83946a4fdf8ed1b728444276cea72
                                            • Instruction Fuzzy Hash: 07C1D723B19ACB86EB109B28D410ABA67A1FBC5BC8F145236DB9D53799EF3CD145C700
                                            Function 00007FF6117B5D7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DAA
                                              • Part of subcall function 00007FF6117B54F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B550C
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DBB
                                              • Part of subcall function 00007FF6117B5498: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B54AC
                                            • _get_daylight.LIBCMT ref: 00007FF6117B5DCC
                                              • Part of subcall function 00007FF6117B54C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117B54DC
                                              • Part of subcall function 00007FF6117AA0E4: HeapFree.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                              • Part of subcall function 00007FF6117AA0E4: GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6117B600C), ref: 00007FF6117B5DF3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                            • String ID:
                                            • API String ID: 3458911817-0
                                            • Opcode ID: 86688f8d2f1ae04f1aab1eeae53bd1aef32144e70f3d14e48b21619aa4792d57
                                            • Instruction ID: 14ab1797b742127b6f3aa5ee938c223a76f2cdb3d8b597db74b2c376f5efee69
                                            • Opcode Fuzzy Hash: 86688f8d2f1ae04f1aab1eeae53bd1aef32144e70f3d14e48b21619aa4792d57
                                            • Instruction Fuzzy Hash: 38518F72A18E4286E720EF21E8815B96768FF48FA4F448135EA4DC7B97DF3CE4488744
                                            Function 00007FFE004C21AD Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_read_lockD_unlockH_retrievememcpy
                                            • String ID:
                                            • API String ID: 2272600717-0
                                            • Opcode ID: eacee982258474cf84c65c756c29dcf2f4c82a3100d24e29db710f983da2b86b
                                            • Instruction ID: 06d31dd4b5bb39098f2770091a0845693f83f0c19931cb30f70fb37450aca2a0
                                            • Opcode Fuzzy Hash: eacee982258474cf84c65c756c29dcf2f4c82a3100d24e29db710f983da2b86b
                                            • Instruction Fuzzy Hash: 0331A422B09B8186EAA4DF29D4513B96390FB89B95F084136EF4D4776ADF3CE542CB04
                                            Function 00007FFE005081AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free
                                            • String ID: ..\s\ssl\statem\statem_clnt.c
                                            • API String ID: 2581946324-1507966698
                                            • Opcode ID: f171a9b809563eb06841a0314ade0dc60bcfc1f2773dd9c3ff693d0535b55d80
                                            • Instruction ID: c40d8c37378ada96363e755225a3f8608736500018aa5eddeb9fee622ef1679f
                                            • Opcode Fuzzy Hash: f171a9b809563eb06841a0314ade0dc60bcfc1f2773dd9c3ff693d0535b55d80
                                            • Instruction Fuzzy Hash: 7431BE72A1CB8182E7609B51F4406AEB7A1FB857A4F444235FBD907BADDF7CD2508B00
                                            Function 00007FFDFB135DA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLastbind
                                            • String ID: ..\s\crypto\bio\b_sock2.c
                                            • API String ID: 2328862993-3200932406
                                            • Opcode ID: 07a51871c6cc82d07ddb0362aba42ccba400747838bd6ea52fefd8ddeca8a5db
                                            • Instruction ID: 3ed566a5089d5ff66ef144cf72c7cafd0b293a011d77442fc14738fbec6720c8
                                            • Opcode Fuzzy Hash: 07a51871c6cc82d07ddb0362aba42ccba400747838bd6ea52fefd8ddeca8a5db
                                            • Instruction Fuzzy Hash: F021C232F1A55386E710DB25F820A6D67A0EB84B88F540531EA6D43BEDEF3CE545CB00
                                            Function 00007FFE004EC290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 2581946324-1080266419
                                            • Opcode ID: 0f6859ad52ff68c0f0f04dbb44ab1ba94531f0baec27e7c81747281d64887377
                                            • Instruction ID: 7b7222546dfe415a65ff0d9e2e2f6468d02a85774931d8672078856494c6a320
                                            • Opcode Fuzzy Hash: 0f6859ad52ff68c0f0f04dbb44ab1ba94531f0baec27e7c81747281d64887377
                                            • Instruction Fuzzy Hash: 75E09A66B04B4181FB21AB61D4403A82320EB09B48F448030CA0C0B3ABDFACD184C361
                                            Function 00007FFE004C1253 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free
                                            • String ID: ..\s\ssl\t1_lib.c
                                            • API String ID: 2581946324-1643863364
                                            • Opcode ID: 133089a26c27c7236ef72524c339463aa5b29880811549ad3b06af1c2147fadc
                                            • Instruction ID: d0a39edf227f37279609dbec461f3eef8c552323f42702daa67a57cda5cfd378
                                            • Opcode Fuzzy Hash: 133089a26c27c7236ef72524c339463aa5b29880811549ad3b06af1c2147fadc
                                            • Instruction Fuzzy Hash: 70615732A09A8586EB758F51E4443EA67A4FF16B98F580035DB4E5B7A8CF7CE9818301
                                            Function 00007FFE004C20FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_malloc
                                            • String ID: ..\s\ssl\statem\statem_clnt.c
                                            • API String ID: 1457121658-1507966698
                                            • Opcode ID: 33cb53862aa21825262840951025edce8ca68d8317dd88a8b7979837276a0a02
                                            • Instruction ID: 99565087bb1e12772b1ab8928aea4c7953b7886e95d174104e14150570ea728f
                                            • Opcode Fuzzy Hash: 33cb53862aa21825262840951025edce8ca68d8317dd88a8b7979837276a0a02
                                            • Instruction Fuzzy Hash: A731A631B0D69286E7608B51E8107BD7BA0EB86B90F484631DB9D47BEADF2CD651C700
                                            Function 00007FFE004C2275 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free
                                            • String ID: ..\s\ssl\record\rec_layer_d1.c
                                            • API String ID: 2581946324-1306860146
                                            • Opcode ID: 139efbb07686edf3e52e49d0b03c92fe3e3cf91c01f1fc49864d39945a4f1720
                                            • Instruction ID: 47eb481f35f64e8872d14fd4db4819866ee296de9d4c344afa84e9c44f962623
                                            • Opcode Fuzzy Hash: 139efbb07686edf3e52e49d0b03c92fe3e3cf91c01f1fc49864d39945a4f1720
                                            • Instruction Fuzzy Hash: E5F0BE12B0D64280EAC0AB66F441AB98251EF88BC4F485031EB0D4B7BFEE1CE8918704
                                            Function 00007FFE004D40B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_clear_free
                                            • String ID: ..\s\ssl\s3_enc.c
                                            • API String ID: 2011826501-1839494539
                                            • Opcode ID: 6d15e9bca7093c64b67abccaf57bc47edc1c3f3c4f044bc31ce0d445c21825d7
                                            • Instruction ID: 3239cb84e9dfa6c37ef528bfb14438219c3bbfef5bb82ce0bb577bedf02fc99d
                                            • Opcode Fuzzy Hash: 6d15e9bca7093c64b67abccaf57bc47edc1c3f3c4f044bc31ce0d445c21825d7
                                            • Instruction Fuzzy Hash: 33E0ED76709B80C4DB809B66D8897E82360EB49F54F584136DF4D4B365CF25C197C300
                                            Function 00007FFE004F7150 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free
                                            • String ID: ..\s\ssl\statem\extensions.c
                                            • API String ID: 2581946324-1165805907
                                            • Opcode ID: 17a1c25cdda82420369dc9924b42362fb606877aacc98f35b46ac895bdb894de
                                            • Instruction ID: e2f33eff5b0eea9f6ecfbf97c32ff3a047b932164ded05cded77b5c5ada75f38
                                            • Opcode Fuzzy Hash: 17a1c25cdda82420369dc9924b42362fb606877aacc98f35b46ac895bdb894de
                                            • Instruction Fuzzy Hash: 96D0A796F0564141F7507B95D4053E41220EF19B49F485031DF0C4FBA7DF5DE1D24B10
                                            Function 00007FFE004C22F7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free
                                            • String ID: ..\s\ssl\t1_lib.c
                                            • API String ID: 2581946324-1643863364
                                            • Opcode ID: 9265e4e1051d1770e5766e913f015a2990611a6c01de25bc3c6fd1a9d2ffb099
                                            • Instruction ID: 680cf7534b93f8beea92337e2b117ab68f2d4aa79aca7beb6ad5598119ccaa05
                                            • Opcode Fuzzy Hash: 9265e4e1051d1770e5766e913f015a2990611a6c01de25bc3c6fd1a9d2ffb099
                                            • Instruction Fuzzy Hash: 52D05E16F0944294FAA0AB62C8016FC1711EF4DB54F580030DF1D5BBBADD5CF9579704
                                            Function 00007FFE004C20DB Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_read_lockD_unlock
                                            • String ID:
                                            • API String ID: 102331797-0
                                            • Opcode ID: 2be5ada4b618e032d2bea9dc6ce15e754e51126d1b7950891cfef9aa44b7dc28
                                            • Instruction ID: 1b0d707267be7c6b3c06ba0105e1be958a15731cfff14748de30fd58471c4969
                                            • Opcode Fuzzy Hash: 2be5ada4b618e032d2bea9dc6ce15e754e51126d1b7950891cfef9aa44b7dc28
                                            • Instruction Fuzzy Hash: 22E09B22B0898156EB549F16D9407FC5260EF98B85F1C4031FB1D8B7ABDE38E9934700
                                            Function 00007FFDFB1363AC Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b954f67fa98ea388b51ad755bd782d23e00ae5a7529a5e8edf9031905d961da4
                                            • Instruction ID: 5397d6381d894bfc8b3dff92cd3a917599af741e5f7e3a10cf8c96cda8e8fc9d
                                            • Opcode Fuzzy Hash: b954f67fa98ea388b51ad755bd782d23e00ae5a7529a5e8edf9031905d961da4
                                            • Instruction Fuzzy Hash: 25F0E972B683E645C756CA36A408FA92DD19391BCCF22C030D90CC3F59E92EC5018B40
                                            Function 00007FFDFB1364EC Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f623b556fed3a7cc3801d3dddd7be859cbf8bdc019ac263be1fd3e369338404b
                                            • Instruction ID: b73d1319feca035029cdf635135478556090cf500dc97d35a5cce9d0d1c1e4c5
                                            • Opcode Fuzzy Hash: f623b556fed3a7cc3801d3dddd7be859cbf8bdc019ac263be1fd3e369338404b
                                            • Instruction Fuzzy Hash: A5E0DFB3B193A985D756CE336118EB92A90A314BC9F53C030990EC3B99EC2EC601CB40
                                            Function 00007FF6117942E0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117942F0
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF611794331
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF611794356
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF61179437B
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117943A3
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117943CB
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF6117943F3
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF61179441B
                                            • GetProcAddress.KERNEL32(?,00007FF611794EB7,?,00007FF61179224E), ref: 00007FF611794443
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressProc
                                            • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                            • API String ID: 190572456-2007157414
                                            • Opcode ID: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                            • Instruction ID: 63d46c036a9390ebb8baa1613cf441833a01d805c9912e762c3cec12c822645d
                                            • Opcode Fuzzy Hash: 6a244b584105566801507efa4892542c2e2cca56cf1b8684858a7b7b26d5cccb
                                            • Instruction Fuzzy Hash: B9127EA4A0EF0B94FB558B14A9641B423BCAF49F74B949136C81EE2362FF7CB54CC254
                                            Function 00007FF6117960C0 Relevance: 112.3, APIs: 31, Strings: 33, Instructions: 264libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressProc
                                            • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                            • API String ID: 190572456-573889970
                                            • Opcode ID: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                            • Instruction ID: ef83a7a9df9277bf848e9797325a20d6b16bf8017ba23708cbcf4c50fdc99d59
                                            • Opcode Fuzzy Hash: e7ad631868096c1857f19de989c3ae72b1e7ed32f0438870ee7e79edbb589c26
                                            • Instruction Fuzzy Hash: 29E1666490DF4B90FB59CB04E8A02B823BDAF08FB4B949535D85E92366EF3CB55DC205
                                            Function 00007FFE10232C90 Relevance: 79.0, APIs: 12, Strings: 33, Instructions: 224COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Module_$ConstantObject$LongReadyType_$Create2Err_ExceptionFromLong_Tuple_With
                                            • String ID: CHECK_CRC32$CHECK_CRC64$CHECK_ID_MAX$CHECK_NONE$CHECK_SHA256$CHECK_UNKNOWN$Call to liblzma failed.$FILTER_ARM$FILTER_ARMTHUMB$FILTER_DELTA$FILTER_IA64$FILTER_LZMA1$FILTER_LZMA2$FILTER_POWERPC$FILTER_SPARC$FILTER_X86$FORMAT_ALONE$FORMAT_AUTO$FORMAT_RAW$FORMAT_XZ$LZMACompressor$LZMADecompressor$LZMAError$MF_BT2$MF_BT3$MF_BT4$MF_HC3$MF_HC4$MODE_FAST$MODE_NORMAL$PRESET_DEFAULT$PRESET_EXTREME$_lzma.LZMAError
                                            • API String ID: 3442111998-3870813807
                                            • Opcode ID: 48a86c9b9cb547c6d8dae19f78d831a961882795e54f6ab685be83312e17b9f4
                                            • Instruction ID: 991e965aa2eabb857c3534574db663af327c56c622a98047051fe65667b7c434
                                            • Opcode Fuzzy Hash: 48a86c9b9cb547c6d8dae19f78d831a961882795e54f6ab685be83312e17b9f4
                                            • Instruction Fuzzy Hash: ECA15520B18E0344F968972B98942751A609FCA7B4F9497B1EE3D4F3F79E6DE259C300
                                            Function 00007FFE004E31B0 Relevance: 71.9, APIs: 35, Strings: 6, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: P_add_cipher$P_add_digest$E_addE_finishY_asn1_find_strY_asn1_get0_info$J_nid2snP_aes_256_cbcP_get_digestbynameP_md5P_sha1P_sha256
                                            • String ID: MD5$RSA-SHA1$RSA-SHA1-2$SHA1$ssl3-md5$ssl3-sha1
                                            • API String ID: 1429678301-3803824401
                                            • Opcode ID: 50bc0d389ec4add2b6b019e9396afca5876b120b1659bdd8f08d120d6539e405
                                            • Instruction ID: ed5cf5dde9705d18a45faf87a80745e24737a0ccdb9701663dde4b2f34f4606f
                                            • Opcode Fuzzy Hash: 50bc0d389ec4add2b6b019e9396afca5876b120b1659bdd8f08d120d6539e405
                                            • Instruction Fuzzy Hash: 53414069E0E58784F968F7E2642A1FC1A805FB3B40F454435EB9E263FFED2DA0444255
                                            Function 00007FFDFB2DC8A0 Relevance: 49.7, APIs: 19, Strings: 14, Instructions: 220stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DC8F1
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DC908
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DC91F
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DC953
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DC9BF
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DC9F6
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCA57
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCA6A
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCA81
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCA94
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCAAB
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCABE
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCAD5
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCAE8
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCAFF
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCB12
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCB29
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCB62
                                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB2DD4D9,?,?,?,?,?,?,?,?,00007FFDFB2DB50B), ref: 00007FFDFB2DCB92
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strcmp
                                            • String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
                                            • API String ID: 1004003707-1119032718
                                            • Opcode ID: 19885f793bf76aab5706f5b9a6d3b7917bdcecea9aca148422e43dee4f095719
                                            • Instruction ID: cff44edcbbb39789b06c7051bb3a7f1bd06aab42de97d8d2516d365ee728eabf
                                            • Opcode Fuzzy Hash: 19885f793bf76aab5706f5b9a6d3b7917bdcecea9aca148422e43dee4f095719
                                            • Instruction Fuzzy Hash: E191D551B9F64745FB64AB2A9570FF812D19F0AB90F841231E97EC2AFDEE1DE4438200
                                            Function 00007FFE004C11EA Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error$X509_$E_freeL_sk_set_cmp_funcM_read_bio_X509$E_dupErrorL_sk_pushLastO_ctrlO_freeO_newO_s_fileO_snprintfR_add_error_dataR_clear_errorR_endR_readX509_freeX509_get_subject_name_errno
                                            • String ID: %s/%s$..\s\ssl\ssl_cert.c$OPENSSL_DIR_read(&ctx, '
                                            • API String ID: 1298587036-4291904164
                                            • Opcode ID: 1a846a5ea7705a749b41703724f8f261c8c59dff005b699762b1f4aa806e6128
                                            • Instruction ID: 62093ede232f85b7333165e1c29274e731daaf3e776d89e4efce32f3984bec07
                                            • Opcode Fuzzy Hash: 1a846a5ea7705a749b41703724f8f261c8c59dff005b699762b1f4aa806e6128
                                            • Instruction Fuzzy Hash: 8571AE61A0C78286FA70EB51E4517BE6390EF96B84F440036EB8D57BAEDF3CE5058709
                                            Function 00007FFE004C1299 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 160COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X509_$R_put_error$L_sk_numX_free$L_sk_pop_freeL_sk_valueM_move_peernameM_set1X_get0_chainX_get1_chainX_get_errorX_newX_set0_daneX_set_defaultX_set_ex_dataX_set_verify_cb
                                            • String ID: ..\s\ssl\ssl_cert.c$ssl_client$ssl_server
                                            • API String ID: 4276941150-2466788060
                                            • Opcode ID: da8ffaa8bb4c479e1f1324667d0f4f023503315d3ad3bc4eb565f77b218061d6
                                            • Instruction ID: ae2a37dbae077e7a443cda667fb161e2d8958c5b8bcfb4a1ce1831c1302b6920
                                            • Opcode Fuzzy Hash: da8ffaa8bb4c479e1f1324667d0f4f023503315d3ad3bc4eb565f77b218061d6
                                            • Instruction Fuzzy Hash: 17616B21B0864385EA64EB6699913BE67A1AF96BC4F444036EF4D477AFEF3CE401C700
                                            Function 00007FFE10231160 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 147threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Arg_Buffer_Err_$ArgumentBufferContiguousIndexKeywordsLong_Number_Object_OccurredReleaseSsize_tStringSubtypeThread_acquire_lockThread_release_lockType_Unpack
                                            • String ID: Already at end of stream$argument 'data'$contiguous buffer$decompress$integer argument expected, got float
                                            • API String ID: 3643716117-1882176353
                                            • Opcode ID: eaa5efcad63992a0adb75e1df66044a6d462d8517104d0969a59a4394c2eac4f
                                            • Instruction ID: 4fce2a3bdd0f07c0fcbb611242f44e3fe7b39ab9655ea64e74dcfcebc4b2b098
                                            • Opcode Fuzzy Hash: eaa5efcad63992a0adb75e1df66044a6d462d8517104d0969a59a4394c2eac4f
                                            • Instruction Fuzzy Hash: 59612B21A08F4285EA508B12E89427A6BB4FFC9BA0F5441B5DFAD477B6DF7CE444D700
                                            Function 00007FFE10231390 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 161threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Eval_Thread$Buffer_Bytes_RestoreSaveStringThread_acquire_lock$Arg_ArgumentBufferContiguousErr_FromObject_ReleaseResizeSizeThread_release_lock
                                            • String ID: Compressor has been flushed$Unrecognized error from liblzma: %d$argument$compress$contiguous buffer
                                            • API String ID: 3206493269-1781558755
                                            • Opcode ID: cb909a36e300276ce923ef371e3985ba7075b621ff59826bbc6e427a6c4ddae0
                                            • Instruction ID: 906241279261a2620b21103f1bd31170aedf48d6bf6bebf85d21e40634160291
                                            • Opcode Fuzzy Hash: cb909a36e300276ce923ef371e3985ba7075b621ff59826bbc6e427a6c4ddae0
                                            • Instruction Fuzzy Hash: 56711B22A08F8286EB648B26E48436A37B5FBC8BA4F504275DF9D477A5DF3CD445C700
                                            Function 00007FFE0052A260 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 218COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X_ctrl$X_free$D_sizeR_put_errorX_new_idY_derive_init
                                            • String ID: ..\s\ssl\tls13_enc.c$U$W$tls13
                                            • API String ID: 2176224248-2595563013
                                            • Opcode ID: c7026dc82b053e37b619605641ac3c8103fac54c87297e1e2c29d2e658116e9a
                                            • Instruction ID: b0f90ae4df1670e8ce6e757384933aeed13c10cbba46d2fd8524b5a064b10c70
                                            • Opcode Fuzzy Hash: c7026dc82b053e37b619605641ac3c8103fac54c87297e1e2c29d2e658116e9a
                                            • Instruction Fuzzy Hash: 9E915A32B0868286FA709A52E5147BE6791AF96784F400131EB4D47BBAEF3DE545CB04
                                            Function 00007FFE004C1244 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 165COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error
                                            • String ID: ..\s\ssl\ssl_rsa.c
                                            • API String ID: 1767461275-2723262194
                                            • Opcode ID: 053c030733df3a52619d4012c3bbda9b9158e920da0bdf21c763ff0f067dc1a9
                                            • Instruction ID: 988b3bf5e7fdf52f6d4b3d9d7e8f028d7f608c84f0169a1e054cb90ea9bd7aee
                                            • Opcode Fuzzy Hash: 053c030733df3a52619d4012c3bbda9b9158e920da0bdf21c763ff0f067dc1a9
                                            • Instruction Fuzzy Hash: E8717B32A08A8282EF50DB65E4506BEA760FB99B88F440131EB4D437AEEF7DE545C700
                                            Function 00007FFE102315A0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Bytes_Eval_Thread$FromResizeRestoreSaveSizeStringmemmove
                                            • String ID: Unrecognized error from liblzma: %d
                                            • API String ID: 4114778314-3752967985
                                            • Opcode ID: a7d93393fff5e0aa51de848bf3b6408fb20852d020f5559b4ad80d295f108a2f
                                            • Instruction ID: 1b0ae36bc14405ef24a638431c194a32b7af945ab1c4aaaa2b64dd3e3e02e697
                                            • Opcode Fuzzy Hash: a7d93393fff5e0aa51de848bf3b6408fb20852d020f5559b4ad80d295f108a2f
                                            • Instruction Fuzzy Hash: DCB17521A09F8189EB648F2698543B96BB5FF88BA8F244175DF4D0B7A6DF3CE445C300
                                            Function 00007FFDFB1366B8 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 205stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strspn$strncmp
                                            • String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
                                            • API String ID: 1384302209-3505811795
                                            • Opcode ID: e90065c7be01b739f3bd4072d943918714ba8c1968184f16852b7dcd88a8af2c
                                            • Instruction ID: a3250c143e5fb5508f899a40ad4adc88ede6996e3cdf1c329cd650b805e27ff6
                                            • Opcode Fuzzy Hash: e90065c7be01b739f3bd4072d943918714ba8c1968184f16852b7dcd88a8af2c
                                            • Instruction Fuzzy Hash: 6591B265B0F65786E7249F11E434ABD77A1AF08B88F844030CA6D86AEDEF3DE546C700
                                            Function 00007FFE10232160 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 164threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$DeallocLongThread_free_lock$Bytes_FromLong_OccurredSizeThread_allocate_lockUnsigned
                                            • String ID: Cannot specify filters except with FORMAT_RAW$Cannot specify memory limit with FORMAT_RAW$Invalid container format: %d$Must specify filters for FORMAT_RAW$Unable to allocate lock
                                            • API String ID: 1108936419-1518367256
                                            • Opcode ID: 9525b31f0963ba0e342c0eb8698fedc629527c382ec99a727386fa4583200162
                                            • Instruction ID: b0b285172ff10ef973a9742cb8beb6b4d1d21c5e736d777003879cfabe51d325
                                            • Opcode Fuzzy Hash: 9525b31f0963ba0e342c0eb8698fedc629527c382ec99a727386fa4583200162
                                            • Instruction Fuzzy Hash: 56715132A08E4285EB648F26E8941792B64FBCAB74F5441B1DF5D4A7B6DF7CE488D300
                                            Function 00007FFE004C10DC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 112COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X509_$E_free$E_dupH_freeH_retrieveL_sk_new_nullL_sk_pop_freeL_sk_pushM_read_bio_O_ctrlO_freeR_clear_errorR_put_errorX509X509_freeX509_get_subject_name
                                            • String ID: ..\s\ssl\ssl_cert.c
                                            • API String ID: 1315476032-349359282
                                            • Opcode ID: 8ecc01ccd44d5c52f79949a4607a94e5314d1ae90a1fe92926c06156f9c469cd
                                            • Instruction ID: 841dfaa177572871eaa0cefb376d40980284aa654628e5979d943c0b7409f5b5
                                            • Opcode Fuzzy Hash: 8ecc01ccd44d5c52f79949a4607a94e5314d1ae90a1fe92926c06156f9c469cd
                                            • Instruction Fuzzy Hash: EB419F21A0D24385FE61ABA294517BD5790AFA6BC4F084036EF8D0BBBFDE3CE4058705
                                            Function 00007FFE102326E0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$Mem_$FreeLongString$Arg_ClearDeallocExceptionFormatItemKeywords_Long_MallocMapping_MatchesMemoryOccurredParseSizeTupleUnsigned
                                            • String ID: Invalid compression preset: %u$Invalid filter specifier for LZMA filter$preset$|OOO&O&O&O&O&O&O&O&
                                            • API String ID: 2878241137-1461672608
                                            • Opcode ID: 3db22969c6c40bc59cbe3d758bc68dab9b937b99832b7ba4671467d740bcc724
                                            • Instruction ID: 1e132fa0d6965ac31f07502b3504a6e088381dccc1d1fe30484fd14852da10bb
                                            • Opcode Fuzzy Hash: 3db22969c6c40bc59cbe3d758bc68dab9b937b99832b7ba4671467d740bcc724
                                            • Instruction Fuzzy Hash: E3513C31A08F4285EA608B12E4902AA7BA4FFC9BA0F5041B6DF8D46776DF7CE458D710
                                            Function 00007FFE004C11CC Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 374COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: gfffffff
                                            • API String ID: 0-1523873471
                                            • Opcode ID: 0c00cf3d59b9a8b7540c50735eae0699765dff90e778f59e0a662ece70efbc7b
                                            • Instruction ID: bf07ee298c82667afed36936384c3c2aacce8c6c8c26f910b62329db1a4807d7
                                            • Opcode Fuzzy Hash: 0c00cf3d59b9a8b7540c50735eae0699765dff90e778f59e0a662ece70efbc7b
                                            • Instruction Fuzzy Hash: E0E1D161B0CA8281FEB49AAA954077A6681FF66BC4F144535DF4E877EDEF3CE4818700
                                            Function 00007FFDFB136681 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 202registryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite__stdio_common_vsprintf__stdio_common_vswprintf
                                            • String ID: $OpenSSL$OpenSSL: FATAL$no stack?
                                            • API String ID: 2603057392-2963566556
                                            • Opcode ID: 9f4082d1a07810123fbfe9be131995a4efa7e1c68d79a2b4e33d60306aadcfbb
                                            • Instruction ID: b2574071c505ca53f8d154cb6f6d8dc3ba5796e5ade9f355e4117655c2ac4fdb
                                            • Opcode Fuzzy Hash: 9f4082d1a07810123fbfe9be131995a4efa7e1c68d79a2b4e33d60306aadcfbb
                                            • Instruction Fuzzy Hash: 4C91E572B09B8786EB208F64E8605A87361FB45BD8F444735EA6D4B6E9EF3CD195C300
                                            Function 00007FFE004C119F Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 156COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Digest$Update$Final_ex$Init_exL_cleanseX_freeX_new
                                            • String ID: $XS$..\s\ssl\s3_enc.c
                                            • API String ID: 1085713656-2204730338
                                            • Opcode ID: 2bda96110983e3cbd0c1e73fe3392ee282ea7fc9e8edc76b975135830d1840b1
                                            • Instruction ID: d040722245c10b1af14490f34d3b558892ce870701bfbc97a7804583b9794a4e
                                            • Opcode Fuzzy Hash: 2bda96110983e3cbd0c1e73fe3392ee282ea7fc9e8edc76b975135830d1840b1
                                            • Instruction Fuzzy Hash: E751A572B1878342FA649B16A9047BA6395AF96BC4F409036EF8D47B6EDF3CE405C704
                                            Function 00007FFE004C1271 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: DigestX_mdX_new$D_sizeFinal_exO_ctrlO_freeUpdateX_ctrlX_free
                                            • String ID: ..\s\ssl\s3_enc.c
                                            • API String ID: 2523682943-1839494539
                                            • Opcode ID: e4906672c1da4dc1e5f22fae399b36a8df245854c76b5d37f80920efeef9a9f1
                                            • Instruction ID: fc27c8c885ca29b65c4ec5a0e923a1047e9c7f7385b2336ff3fc1f941f9b8d1c
                                            • Opcode Fuzzy Hash: e4906672c1da4dc1e5f22fae399b36a8df245854c76b5d37f80920efeef9a9f1
                                            • Instruction Fuzzy Hash: A6616C32B09A8286FBA0DA56E8507B96794EF85BC4F144032DF8D4B7AADF3CE5458704
                                            Function 00007FFE10233344 Relevance: 24.2, APIs: 16, Instructions: 235COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
                                            • String ID:
                                            • API String ID: 627783611-0
                                            • Opcode ID: 9cddb5709fc19632397910db40cae442963e39c90e1c54dbdd52e4f1c275d58e
                                            • Instruction ID: 9bd62586e194b50b2e1a0395d2a628fec6d4c4c0582af691002ed214fb0dcc87
                                            • Opcode Fuzzy Hash: 9cddb5709fc19632397910db40cae442963e39c90e1c54dbdd52e4f1c275d58e
                                            • Instruction Fuzzy Hash: 4F916E21E08E478AF6559B6794812796AA0AFCDBA0F4480F5EB4D4B7B7DE3CE641C700
                                            Function 00007FF6117915A0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                            • API String ID: 2050909247-1550345328
                                            • Opcode ID: aa10971c0d062941331155fe9ceba359fffdd19f777983bb20d27a1fe9fcc65b
                                            • Instruction ID: 99e1742a57beb6e2366d316894f4f5feb767fe9c88fea5a115e0195d192c97b3
                                            • Opcode Fuzzy Hash: aa10971c0d062941331155fe9ceba359fffdd19f777983bb20d27a1fe9fcc65b
                                            • Instruction Fuzzy Hash: 2B518061B08E4B92EB209B25A4601B92368FF44FB4F884135EE1D87797EF7CE56C8340
                                            Function 00007FF6117969A0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF611797800: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6117931D4,00000000,00007FF611791905), ref: 00007FF611797839
                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF611796EC7,?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF6117969FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ByteCharEnvironmentExpandMultiStringsWide
                                            • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                            • API String ID: 2001182103-930877121
                                            • Opcode ID: e1c90b8b65be0b26b19f09dc33bf5e27a6aa4be5ceb88937082bfe242d96b68e
                                            • Instruction ID: 1ce725cff1fad624faba917a0ad8f9880a268b104774f8461cab8ac7fc7d5f65
                                            • Opcode Fuzzy Hash: e1c90b8b65be0b26b19f09dc33bf5e27a6aa4be5ceb88937082bfe242d96b68e
                                            • Instruction Fuzzy Hash: 27417321A1DE4681FB609B25E8616FA6269EF84FB0F544435EA0EC3797EF2CE50CC744
                                            Function 00007FFDFB13696F Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 267stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strcmp$strncmp
                                            • String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
                                            • API String ID: 1244041713-3630080479
                                            • Opcode ID: ff7ab3dd10132a1bc7cb37f82a4b0f7d0190ecbe7ea3f92170d1e7582b2abc71
                                            • Instruction ID: c29f6ee1a41af79c805aa065e150610231d16cf007c360de573d1051126a8c56
                                            • Opcode Fuzzy Hash: ff7ab3dd10132a1bc7cb37f82a4b0f7d0190ecbe7ea3f92170d1e7582b2abc71
                                            • Instruction Fuzzy Hash: 8FC14D62F0E64382FB14EB15A471EB96291EF85B88F588032DD6D076EDEF7CE5858340
                                            Function 00007FFDFB1342B4 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 135COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ..\s\crypto\rand\randfile.c$Filename=$i
                                            • API String ID: 0-1799673945
                                            • Opcode ID: 82adcac0c91a268a08566efa787beb0c4afc2754627d48882ba96cfc7e1ce6f1
                                            • Instruction ID: 0f56b0f07d48644b3d91b8beb51c129f90cf42fbd58467b9632a2aa27d4af1e1
                                            • Opcode Fuzzy Hash: 82adcac0c91a268a08566efa787beb0c4afc2754627d48882ba96cfc7e1ce6f1
                                            • Instruction Fuzzy Hash: AE51A532B0EA8786F710AB15D860A7A6791EF80B84F444135D92E87AFDEF3CE545CB40
                                            Function 00007FFE102325B0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • PyMapping_Check.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102325C0
                                            • PyMapping_GetItemString.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102325DD
                                            • PyLong_AsUnsignedLongLong.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102325EE
                                            • PyErr_Occurred.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE10232601
                                            • PyErr_ExceptionMatches.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE1023266B
                                            • PyErr_Format.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102326A7
                                            • PyErr_SetString.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102326C0
                                              • Part of subcall function 00007FFE10232A00: _PyArg_ParseTupleAndKeywords_SizeT.PYTHON38 ref: 00007FFE10232A44
                                              • Part of subcall function 00007FFE10232A00: PyMem_Malloc.PYTHON38 ref: 00007FFE10232A53
                                            • PyErr_SetString.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE1025EFCB
                                            • _Py_Dealloc.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE1025EFDB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$String$LongMapping_$Arg_CheckDeallocExceptionFormatItemKeywords_Long_MallocMatchesMem_OccurredParseSizeTupleUnsigned
                                            • String ID: Filter specifier must be a dict or dict-like object$Filter specifier must have an "id" entry$Invalid filter ID: %llu
                                            • API String ID: 1060424730-3390802605
                                            • Opcode ID: 6cf36963b717ce5dd333766c74d7524b21dfadbb5399a506ac4ea2c17fdb4dfd
                                            • Instruction ID: 7f5c96a1620bcf1c01aae5ca091843111448cb18707c01121352f528f3f42f37
                                            • Opcode Fuzzy Hash: 6cf36963b717ce5dd333766c74d7524b21dfadbb5399a506ac4ea2c17fdb4dfd
                                            • Instruction Fuzzy Hash: 0E316070A0CE4285EA548B17E4941792BA4AFCEBA4F4440B1EF1E4B776DF6CE499DB00
                                            Function 00007FFE10231DA0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 151threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$String$Arg_FormatKeywords_ParseSizeThread_allocate_lockThread_free_lockTuple
                                            • String ID: Cannot specify both preset and filter chain$Integrity checks are only supported by FORMAT_XZ$Invalid container format: %d$Unable to allocate lock$|iiOO:LZMACompressor
                                            • API String ID: 278943766-3984722346
                                            • Opcode ID: daaf8f960433acfb1f8a82b0481806d04f96595f8fd2db68aed73cfada0b10a3
                                            • Instruction ID: fefe46aae96f6fadde7c971aa7469a910648e2a722c89ed0d6e84467670535c9
                                            • Opcode Fuzzy Hash: daaf8f960433acfb1f8a82b0481806d04f96595f8fd2db68aed73cfada0b10a3
                                            • Instruction Fuzzy Hash: 3D713E72B08E4289EB60CB62D4901BD2BB5AB88768F600176DF5D57BBADF3CE445D340
                                            Function 00007FFE004E1070 Relevance: 18.1, APIs: 12, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: L_sk_num$L_sk_freeL_sk_value$L_sk_dupL_sk_insertL_sk_set_cmp_funcL_sk_sort
                                            • String ID:
                                            • API String ID: 567883156-0
                                            • Opcode ID: efb8e30b7614238f6bec727fef9f359d8886d255d7fd97784a2dd3b8903396cd
                                            • Instruction ID: 21d60831d677ce822a636beb6ce7fe13826b9a76943d1a7e9989920bfee159eb
                                            • Opcode Fuzzy Hash: efb8e30b7614238f6bec727fef9f359d8886d255d7fd97784a2dd3b8903396cd
                                            • Instruction Fuzzy Hash: 31214F21B0968240FA64EB56A95227DA795AFDABC0F048031EF0E477BFDE3DE4518704
                                            Function 00007FFE00524170 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 254COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Y_id
                                            • String ID: ..\s\ssl\t1_lib.c$`}T$t
                                            • API String ID: 239174422-2895464657
                                            • Opcode ID: f52a62b2523754e781ff566b38aba5910ee3672e9c376cf398510df6838e0b10
                                            • Instruction ID: 2f108427c9a95c8771f89944633f7e9161bb0ac8bbb4587fa3a416f564fc6e76
                                            • Opcode Fuzzy Hash: f52a62b2523754e781ff566b38aba5910ee3672e9c376cf398510df6838e0b10
                                            • Instruction Fuzzy Hash: 07A1B031B0824282FB74DA96E09077E26A0EFA6794F544535EB8D47BB9DF3CE5818B04
                                            Function 00007FFDFB136EE2 Relevance: 16.7, APIs: 4, Strings: 7, Instructions: 159stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strchr
                                            • String ID: ..\s\crypto\ocsp\ocsp_lib.c$/$/$443$[$http$https
                                            • API String ID: 2830005266-535551730
                                            • Opcode ID: 1450dc5acfa5919d4b5f2c37678ebbbaae2223542720f04f20de3dc073323ff7
                                            • Instruction ID: 40d5c74ffb2b3f483d48b7a1203a383f8db37a8f05a9d8de42d6bc1f72b22384
                                            • Opcode Fuzzy Hash: 1450dc5acfa5919d4b5f2c37678ebbbaae2223542720f04f20de3dc073323ff7
                                            • Instruction Fuzzy Hash: C861C222B0BB8782FB11EB15D420A7927A0AB49794F844131DE6E873F9EEBDE555C300
                                            Function 00007FFDFB13338C Relevance: 16.6, APIs: 5, Strings: 6, Instructions: 127stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: atoi$strcmp
                                            • String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
                                            • API String ID: 4175852868-1596076588
                                            • Opcode ID: 2cd3f5b2f00799a312427ae8368db590ea89c53adb3628a3911aae2e907d8c07
                                            • Instruction ID: d721317aea3579192c863bc415417b37c8710e37affcd1efb8ba15b963c78d14
                                            • Opcode Fuzzy Hash: 2cd3f5b2f00799a312427ae8368db590ea89c53adb3628a3911aae2e907d8c07
                                            • Instruction Fuzzy Hash: 8E518162B4AA0787EB14AB66E9209B973D1BF44B84F444432DD2E437F9EF3CE5498300
                                            Function 00007FFE004C1320 Relevance: 16.6, APIs: 11, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free$O_new$O_f_buffer
                                            • String ID:
                                            • API String ID: 3969801849-0
                                            • Opcode ID: ac10ef4fb08e49e8259201ad30d98fb617a9911cef8cea96271d729aebdf7adb
                                            • Instruction ID: 2c1b2024fa936518e39045fcaf99fcaaef4368161850bbdc2225ac3242613851
                                            • Opcode Fuzzy Hash: ac10ef4fb08e49e8259201ad30d98fb617a9911cef8cea96271d729aebdf7adb
                                            • Instruction Fuzzy Hash: 38212755F1E64249FDE5BBA2A5616F853919F96B80F1C0034EF0E0BBAFEF2CE5518204
                                            Function 00007FFE004C10EB Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 454COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X_freeY_free$X_new
                                            • String ID: ..\s\ssl\statem\extensions_srvr.c
                                            • API String ID: 762765117-1853348325
                                            • Opcode ID: 86e3e10e343218788b4bdbed8e037aa15da1a653522120854daf60d71ebb1878
                                            • Instruction ID: 66e6f9065fcfa0eab8fff8d9e0d069f5d5c6bf1626a9c4d1096aed8c2a437abc
                                            • Opcode Fuzzy Hash: 86e3e10e343218788b4bdbed8e037aa15da1a653522120854daf60d71ebb1878
                                            • Instruction Fuzzy Hash: 0612C222A0C68282FB708B55E4587BE67A0EF85794F448531EB8D46BEDDF7CE645CB00
                                            Function 00007FFE0052516E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 193COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: L_sk_num$L_sk_valueY_id
                                            • String ID: `}T
                                            • API String ID: 483135270-1090617444
                                            • Opcode ID: 622626f85f690a00523df5c3331690ed6bd9aed58cdc88be906ce11863412a61
                                            • Instruction ID: 8c73438823f7f626904c304977a9bf22c6c6adce5870e9b0c0e6e0be4ef4b323
                                            • Opcode Fuzzy Hash: 622626f85f690a00523df5c3331690ed6bd9aed58cdc88be906ce11863412a61
                                            • Instruction Fuzzy Hash: B2717E61A0CA4281FEB4AA9695443B96691AF73B81F544431DF0E873FEFE3CE8818745
                                            Function 00007FFDFB131073 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
                                            • String ID: Service-0x$_OPENSSL_isservice
                                            • API String ID: 459917433-1672312481
                                            • Opcode ID: b6de1349606f8c84054d1884d33e342133e89650bd9c480de85c05e8c513b566
                                            • Instruction ID: 413467c3f090ea7f03c15dced479cdf5260ff9b5eeaaecf4ec0111cf5b3e1df6
                                            • Opcode Fuzzy Hash: b6de1349606f8c84054d1884d33e342133e89650bd9c480de85c05e8c513b566
                                            • Instruction Fuzzy Hash: 72416422B06B8396EB509F28D860AA83390EF44778B484735E63D4ABFDDF3CE5558300
                                            Function 00007FFDFB23BD30 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 238stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: %-8d$, path=$, retcode=$, value=$..\s\crypto\conf\conf_mod.c$OPENSSL_finish$OPENSSL_init$module=$path
                                            • API String ID: 1114863663-3652895664
                                            • Opcode ID: f0f2df2857c99d0e9a1bab6bd23ade925b679c7646d81e4b1718c08ac661ff27
                                            • Instruction ID: 85cf23a8d8a4ecc7a644a4059001b0ad38249f6b1c2924fc6673a9255759d506
                                            • Opcode Fuzzy Hash: f0f2df2857c99d0e9a1bab6bd23ade925b679c7646d81e4b1718c08ac661ff27
                                            • Instruction Fuzzy Hash: 9EA18022B0AB8781FB10AF55A864AB92290BF45B94F484135DD6D4BBFDEF3CE5858700
                                            Function 00007FF6117A60B0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: -$:$f$p$p
                                            • API String ID: 3215553584-2013873522
                                            • Opcode ID: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                            • Instruction ID: 3cbb5c7aefff4a732fa15f41331928e2e9116459189ff57c048e0a50fe841adc
                                            • Opcode Fuzzy Hash: 4cf7e6b867a9921ad7ec7aa07c9b27dd84d4bc01ad74cf8c657fddc9a570da3b
                                            • Instruction Fuzzy Hash: 9712B465E0DA4386FB205A14F0542B9769AFBC0F60F9C4035F78986BE6DF3CE5988B11
                                            Function 00007FF61179F440 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: f$f$p$p$f
                                            • API String ID: 3215553584-1325933183
                                            • Opcode ID: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                            • Instruction ID: 3d9b22b20fd4b574aca6418d5f58430801db014505d8b8739ff2b2e5963d5d89
                                            • Opcode Fuzzy Hash: 2761c62bb11862c53203c4a1c44b9eb9fed40e0afa0247b40f2c3f0b102f2d4b
                                            • Instruction Fuzzy Hash: E9127561E0C94B86FB646E14E0646B97A99FB40F74FD84035D689C67C6DF3CE98C8B02
                                            Function 00007FFDFB133657 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLastsetsockopt
                                            • String ID: ..\s\crypto\bio\b_sock2.c$o
                                            • API String ID: 1729277954-1872632005
                                            • Opcode ID: 7e0bb203e7b6d1f3c3ec1daaf2b685325e8439be5433fcd9026a25cfaf560743
                                            • Instruction ID: e7912e781fba455abc71f751a2a2a4f3906abfd61158a93fe46cbf10006a3da8
                                            • Opcode Fuzzy Hash: 7e0bb203e7b6d1f3c3ec1daaf2b685325e8439be5433fcd9026a25cfaf560743
                                            • Instruction Fuzzy Hash: 1F51D332F095538AE320AF11E824BA977A1FB84B48F544535E66C43AEDDF3DE549CB40
                                            Function 00007FF611796E70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathW.KERNEL32(?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF611796F14
                                            • GetCurrentProcessId.KERNEL32(?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF611796F1A
                                            • CreateDirectoryW.KERNEL32(?,00000000,FFFFFFFF,00007FF611792AA6), ref: 00007FF611796F5C
                                              • Part of subcall function 00007FF611797040: GetEnvironmentVariableW.KERNEL32(00007FF6117929B0), ref: 00007FF611797077
                                              • Part of subcall function 00007FF611797040: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF611797099
                                              • Part of subcall function 00007FF6117A7DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117A7E05
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Environment$CreateCurrentDirectoryExpandPathProcessStringsTempVariable_invalid_parameter_noinfo
                                            • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                            • API String ID: 365913792-1339014028
                                            • Opcode ID: 1079126f6a4ddcf722a492642612c35472ea5babfff1417671dae8759fe686ad
                                            • Instruction ID: 9b778db8ca6e903e2bdd99fae5b74190eb77ad9348f2a70066c6b77c34212508
                                            • Opcode Fuzzy Hash: 1079126f6a4ddcf722a492642612c35472ea5babfff1417671dae8759fe686ad
                                            • Instruction Fuzzy Hash: 4041D311A09E4640EB20EB25E8612F952A9AF48FF4F484131ED0EC77A7EE3CE54CC700
                                            Function 00007FF611791030 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                            • API String ID: 2050909247-3659356012
                                            • Opcode ID: 2995f616121816a5149e4109bdedc99592c942b4b8c1961bde950477da082986
                                            • Instruction ID: 78e9261896dd91264a73854f53125dafe7c60b60c07727885db5de1455a31c88
                                            • Opcode Fuzzy Hash: 2995f616121816a5149e4109bdedc99592c942b4b8c1961bde950477da082986
                                            • Instruction Fuzzy Hash: 6041A461B48E4A56EB249B16B8602B6A3A8FF44FF4F488035DD5D87B97DE3CE05D8340
                                            Function 00007FFDFB133418 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: HandleModule$AddressProc__stdio_common_vswprintf
                                            • String ID: OPENSSL_Applink$OPENSSL_Uplink(%p,%02X): $_ssl.pyd$_ssl_d.pyd
                                            • API String ID: 572638636-1130596517
                                            • Opcode ID: 907cd2e40e76132a629c501b4f4a8d993da12be8eaff7a1ccb1630e611342407
                                            • Instruction ID: d0e9e81ff298db4099581ab2bc251e7ba16f87aa3b6c30eea788e241074ae9b0
                                            • Opcode Fuzzy Hash: 907cd2e40e76132a629c501b4f4a8d993da12be8eaff7a1ccb1630e611342407
                                            • Instruction Fuzzy Hash: 96511C21E4AB83C6E715AF28E92097437A1BF58768B055736E97D022F9EF3CA5958300
                                            Function 00007FF6117971F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                            • String ID: CreateProcessW$Failed to create child process!
                                            • API String ID: 2895956056-699529898
                                            • Opcode ID: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                            • Instruction ID: 81192d72e0f3bbf235e55dd5db980eb5059b6b670ab155f4c81bbd574a49b8b5
                                            • Opcode Fuzzy Hash: 0ec6545137c218525aca36a5c69f06ebb26d0c39709c03294cc33139ca873a5f
                                            • Instruction Fuzzy Hash: C9412132A08F8685EB209B64F4552BAA3A8FB85774F544335E6AD877D6DF7CD0488B00
                                            Function 00007FFDFB136988 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strcmpstrncmpstrtoul
                                            • String ID: MASK:$default$nombstr$pkix$utf8only
                                            • API String ID: 1175158921-3483942737
                                            • Opcode ID: 4f08fd2ef779e1dccde5490eab134fe8d731f1e86734f1b2de3a0fb01addaf33
                                            • Instruction ID: 3e46a887f50590f11abc54c272f6ca6858bc71fe985170d1d63b1e73d8b236ce
                                            • Opcode Fuzzy Hash: 4f08fd2ef779e1dccde5490eab134fe8d731f1e86734f1b2de3a0fb01addaf33
                                            • Instruction Fuzzy Hash: 20311823F1E58382EB518B18F560BB83B90EB49788F444132EA7E476F9EE1CE591C700
                                            Function 00007FFE004C21EE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error$Y_new
                                            • String ID: ..\s\ssl\ssl_rsa.c
                                            • API String ID: 2632022502-2723262194
                                            • Opcode ID: 07d59772858b8cf33ac669a744615438c5ba041662f0fcd3673215319aac739a
                                            • Instruction ID: 44402115bb571ad6c8e2c6b4fec73e93a573b50bba9e4884b57493388025183b
                                            • Opcode Fuzzy Hash: 07d59772858b8cf33ac669a744615438c5ba041662f0fcd3673215319aac739a
                                            • Instruction Fuzzy Hash: AF218822B0864182EA64EB65F5111FE63A1EF997C8F590030EB4C47BAFDF2DD9458B04
                                            Function 00007FFE10231090 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Arg_Buffer_Long$ArgumentBufferCheckContiguousErr_Long_Object_OccurredPositionalReleaseUnsignedfree
                                            • String ID: _decode_filter_properties$argument 2$contiguous buffer
                                            • API String ID: 178199236-2431706548
                                            • Opcode ID: 2c1272268405956133bd58d1927262ab612f82c000a03af254906e208319e235
                                            • Instruction ID: 6a0a87fc25b0d912029e9565dfc7991c4b43ddb06c06f331069eedb2cc7b5b06
                                            • Opcode Fuzzy Hash: 2c1272268405956133bd58d1927262ab612f82c000a03af254906e208319e235
                                            • Instruction Fuzzy Hash: 99216B62A1CE8281EB608B22F8842B92774FBC8BA4F644175DBAD86766DF7CD545C700
                                            Function 00007FFE004C131B Relevance: 13.6, APIs: 9, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_free_allO_next$O_popO_pushO_up_ref
                                            • String ID:
                                            • API String ID: 1496992895-0
                                            • Opcode ID: 520a8169a5bb445dfb46190afb3847230a38cf7a9569163ee0171fb95297f13f
                                            • Instruction ID: 27bb319d2348afac98f13e6b44fc412b5b30404f8557dff9b92e43acecbec314
                                            • Opcode Fuzzy Hash: 520a8169a5bb445dfb46190afb3847230a38cf7a9569163ee0171fb95297f13f
                                            • Instruction Fuzzy Hash: 24312F22A09A8185EA68EF52D54117CA3A0FF65FC4F144531EF5D07BAECF28E8A1C745
                                            Function 00007FFE004C4223 Relevance: 13.6, APIs: 9, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_set_flags$O_set_retry_reason$O_clear_flagsO_get_retry_reasonR_put_error
                                            • String ID:
                                            • API String ID: 1383309399-0
                                            • Opcode ID: a384e5f8823bb122c4a9dfda7985730e190f7dc4b5fe5da1b685e4418e8f895e
                                            • Instruction ID: 07b2117175b67409dd42b5d41a280476c50f60eb3c4b1711c64f1cfff512dd12
                                            • Opcode Fuzzy Hash: a384e5f8823bb122c4a9dfda7985730e190f7dc4b5fe5da1b685e4418e8f895e
                                            • Instruction Fuzzy Hash: 8B111811B0C15243F5E8A66652726BD53419FD2B80F518531EF0A4BFBFDE2DE5434209
                                            Function 00007FF61179CE38 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 849930591-393685449
                                            • Opcode ID: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                            • Instruction ID: fbfe0419c8a381bdd76c25523d84ca156a045736c958e6b042f80f1603c0007f
                                            • Opcode Fuzzy Hash: c5270a4f35af077b5cb6a45d2d3941eb25c66998b702b56485634ee7620a4e43
                                            • Instruction Fuzzy Hash: BFD17E73A08B4986EB209B65D4503AD77A8FB55BB8F100135EE4D97B9ADF38E48DC700
                                            Function 00007FF6117AEBFC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6117AEF96,?,?,000002492CE06BD8,00007FF6117AA8DB,?,?,?,00007FF6117AA7D2,?,?,?,00007FF6117A5D5E), ref: 00007FF6117AED78
                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6117AEF96,?,?,000002492CE06BD8,00007FF6117AA8DB,?,?,?,00007FF6117AA7D2,?,?,?,00007FF6117A5D5E), ref: 00007FF6117AED84
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressFreeLibraryProc
                                            • String ID: api-ms-$ext-ms-
                                            • API String ID: 3013587201-537541572
                                            • Opcode ID: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                            • Instruction ID: 91474470568cd5638759b2286e7ead47e50186b39b04f5be9b68a997d7361353
                                            • Opcode Fuzzy Hash: 273539b1e858eeecb2bd33ed0d4241c55d8440a82afd6c27fbd9155d092c88af
                                            • Instruction Fuzzy Hash: 2441B022B19E2246EB268B1AB8106752399BF45FB0F1C4935DD1DC77A6EF3CE44D8344
                                            Function 00007FFE004C10E6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_ctrlO_freeO_newO_s_fileR_put_error
                                            • String ID: ..\s\ssl\ssl_rsa.c
                                            • API String ID: 2618924202-2723262194
                                            • Opcode ID: f93f95d0bd75fbb7435a5988d182de84b9e7a844c63013b6fd1f749ac6945a90
                                            • Instruction ID: afe6fc03d8183e1a47e3ae4ce0733033328e080f8a63496f784afb6f6c43482b
                                            • Opcode Fuzzy Hash: f93f95d0bd75fbb7435a5988d182de84b9e7a844c63013b6fd1f749ac6945a90
                                            • Instruction Fuzzy Hash: BE318F61A0C68292F6749B52A4003BE6651FF85B84F144035EB8D0BBAEDF3CE5058708
                                            Function 00007FFE004C21CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_freeO_newO_s_fileR_clear_errorR_put_errorX509_free
                                            • String ID: ..\s\ssl\ssl_rsa.c
                                            • API String ID: 1025733963-2723262194
                                            • Opcode ID: 7e73416609eb91a4b42bdbde52ac007e4a5475fdec970492dddfd46e9b7bbb0a
                                            • Instruction ID: 7f1f2d25b92b66aee078c1983edd194addfda914f7ddcd2d3e303c3e995bb4eb
                                            • Opcode Fuzzy Hash: 7e73416609eb91a4b42bdbde52ac007e4a5475fdec970492dddfd46e9b7bbb0a
                                            • Instruction Fuzzy Hash: 4611C422A09682C6F654EBA2A9116BE6660FF59B84F048035FF4C577AFDF3CE5428704
                                            Function 00007FFE1025F288 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Eval_Thread$Bytes_RestoreSaveStringThread_acquire_lock$Err_FromResizeSizeThread_release_lock
                                            • String ID: Already at end of stream
                                            • API String ID: 632489970-1334556646
                                            • Opcode ID: 92807b60647cfed729af7e329e233d5f1debb9af1c1756b2a787d85d39671696
                                            • Instruction ID: 12335fbd632f93bb9ad1b4b2b81304ee2da4bb76f07ee50a9e03f6c1fa0f7025
                                            • Opcode Fuzzy Hash: 92807b60647cfed729af7e329e233d5f1debb9af1c1756b2a787d85d39671696
                                            • Instruction Fuzzy Hash: 24112B62A08E8282E654CB53E88456A6B71FBC9FD4F0440B2EF5E57B66DF3CE055C700
                                            Function 00007FFE1025F1D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Eval_Thread$Bytes_RestoreSaveStringThread_acquire_lock$Err_FromResizeSizeThread_release_lock
                                            • String ID: Compressor has been flushed
                                            • API String ID: 632489970-3904734015
                                            • Opcode ID: dc9b0a7fa9d90a9b8f5e3edefbf0f6d1709fdcaea608debb5193a8bfda44cf6d
                                            • Instruction ID: 33e88b039f21d528da1e9fda2f20737ba748db726f5c3c11519c16af329cacf0
                                            • Opcode Fuzzy Hash: dc9b0a7fa9d90a9b8f5e3edefbf0f6d1709fdcaea608debb5193a8bfda44cf6d
                                            • Instruction Fuzzy Hash: 04112865A08E8282E684CB53E89466A6B75FBC8F90F0450B2EF1E47B75CF3CE455C740
                                            Function 00007FFE10231BF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Eval_Thread$Bytes_RestoreSaveStringThread_acquire_lock$Err_FromResizeSizeThread_release_lock
                                            • String ID: Repeated call to flush()
                                            • API String ID: 632489970-194442007
                                            • Opcode ID: 88e33c4141c3be84557745ab3dacced38fd3302644c369158451591eb9818fbd
                                            • Instruction ID: 6087493e62f5f7fc1d922ae21af3d072705db78e9fa867751db0a2ffde979388
                                            • Opcode Fuzzy Hash: 88e33c4141c3be84557745ab3dacced38fd3302644c369158451591eb9818fbd
                                            • Instruction Fuzzy Hash: CA111F21A08E5282E7949B23E49437A6771AFC8FA4F1450B1EE1E4B775CF7CD445D701
                                            Function 00007FFDFB3294B0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 190stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memsetstrncpy
                                            • String ID: , failure codes: $, status text: $..\s\crypto\ts\ts_rsp_verify.c$status code: $unknown code$unspecified
                                            • API String ID: 388311670-2553778726
                                            • Opcode ID: 5344d69a15d4affdc656221a603e3fe015904499717153b9ba3b33250bc54aa6
                                            • Instruction ID: 97af80ef3843e9849024867c6e871c6c05ee8273c6b51dc7dea36cb9e319725b
                                            • Opcode Fuzzy Hash: 5344d69a15d4affdc656221a603e3fe015904499717153b9ba3b33250bc54aa6
                                            • Instruction Fuzzy Hash: 9F81AF22F4AA8386E720AB11E564BB963D0EB85B84F840135DE6D437EDEF3DE549C700
                                            Function 00007FFE004C22A7 Relevance: 12.1, APIs: 8, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_peek_error
                                            • String ID:
                                            • API String ID: 3623038435-0
                                            • Opcode ID: 800adae20ab6afd4904e92dcb92a1d70157fb9ddcb4d920e0440579202260c25
                                            • Instruction ID: 5562d310810e40f2d681754ade3379b5bd93808ab4fc9006996b4f279d1a558d
                                            • Opcode Fuzzy Hash: 800adae20ab6afd4904e92dcb92a1d70157fb9ddcb4d920e0440579202260c25
                                            • Instruction Fuzzy Hash: C34163A2E1918382FFA4976692413792291DF95B94F185034EF0D477EDEF1DE8D28708
                                            Function 00007FFE004C2121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 211COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Y_copy_parametersY_freeY_newY_set1_tls_encodedpoint
                                            • String ID: ..\s\ssl\statem\extensions_clnt.c
                                            • API String ID: 3743944661-592572767
                                            • Opcode ID: 06b98e1bac9c521831dea9cfcb4584b858e01c90b891c520814522c3ada8d04a
                                            • Instruction ID: 3f10e541c28c15e507437bcc68f37bb3e77aad8188087cf69c87b485f46939da
                                            • Opcode Fuzzy Hash: 06b98e1bac9c521831dea9cfcb4584b858e01c90b891c520814522c3ada8d04a
                                            • Instruction Fuzzy Hash: A491C372E0978186E7608B11E44067A77A2EB85BD5F484231EF8D17BA9DF3CE591CB04
                                            Function 00007FFE004C1212 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: L_sk_pop_free$E_freeL_sk_newL_sk_pushX509_
                                            • String ID: ..\s\ssl\statem\statem_lib.c
                                            • API String ID: 3595667005-2839845709
                                            • Opcode ID: cfd14e11c1dd70195e2062184f58748feffc33e98eea74f913a876a574866a6c
                                            • Instruction ID: 1652d66fbbd4b95a9d51e77445b256d38559b2f6329ffa8a4e44a82dc48a74a5
                                            • Opcode Fuzzy Hash: cfd14e11c1dd70195e2062184f58748feffc33e98eea74f913a876a574866a6c
                                            • Instruction Fuzzy Hash: 1B51C232A1C68182EB708B15E4546BA7B92FF45794F448231EB8D47BB9EF3CD295CB00
                                            Function 00007FFDFB1322FC Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 121stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strchr
                                            • String ID: characters$ to $..\s\crypto\ui\ui_lib.c$You must type in
                                            • API String ID: 2830005266-3422546668
                                            • Opcode ID: 198e210ea88856fd5583734b0824f289dc36a39d16435e0087f3c0102665f118
                                            • Instruction ID: 9083ec8cacbb05dec24a90a5c520ed7bfb177fc41061a03935b37b2de9e5eafe
                                            • Opcode Fuzzy Hash: 198e210ea88856fd5583734b0824f289dc36a39d16435e0087f3c0102665f118
                                            • Instruction Fuzzy Hash: 9E51BF62B4E64787EB20AF24D420A7937A0EB44B48F544132EE6C476F9DF3DE955C740
                                            Function 00007FFDFB132405 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _stricmpstrchrstrncmp
                                            • String ID: ..\s\crypto\store\store_lib.c$T$file
                                            • API String ID: 3017659097-909561481
                                            • Opcode ID: 503d7c060f9ca88cb13353a6b662c23f936918faa0af8a7225bb6e83a0b4d6aa
                                            • Instruction ID: 0ac58eb0b34d2e6c00ccb214ed3e6be47ae9a331909e9d6a8962aa64a6440621
                                            • Opcode Fuzzy Hash: 503d7c060f9ca88cb13353a6b662c23f936918faa0af8a7225bb6e83a0b4d6aa
                                            • Instruction Fuzzy Hash: 84419432B4AA5796EB11EF11E8609A973A4FB89B88F444035DE5D077E8EF3CE545C700
                                            Function 00007FF61179C0F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C17D
                                            • GetLastError.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C18B
                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C1B5
                                            • FreeLibrary.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C223
                                            • GetProcAddress.KERNEL32(?,?,?,00007FF61179C3AA,?,?,?,00007FF61179C09C,?,?,?,00007FF61179BC99), ref: 00007FF61179C22F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                            • Instruction ID: 3006a8b14290813e606776d3885f15ef22aed366e950815050c41345ab29b7e3
                                            • Opcode Fuzzy Hash: e5c3313d4d9644a9ae338b272818f224d8465b9764fd00572b6e393a8b0d30f2
                                            • Instruction Fuzzy Hash: B031C4A1B1AE0A81EF119B46A82067522ACBF09FB0F594535DD2DC7342EF3CE44C8304
                                            Function 00007FFE004D4130 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_ctrlO_freeX_new
                                            • String ID: ..\s\ssl\s3_enc.c
                                            • API String ID: 22238829-1839494539
                                            • Opcode ID: 81855a1758eba1e16b0fd5633bb0eebb741b43f92765a0cf8f0c49d1d621d59c
                                            • Instruction ID: 9442d1db8486fc85d9b13527e2db8017bc35f8841a916cb4048effa73c6dbbba
                                            • Opcode Fuzzy Hash: 81855a1758eba1e16b0fd5633bb0eebb741b43f92765a0cf8f0c49d1d621d59c
                                            • Instruction Fuzzy Hash: 32419232709A8186E790CB16E4443AE63A0EBC9BD4F184431EF8D5B7ADDF3DD5858704
                                            Function 00007FFDFB133E3B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _chmod_stat64i32fclosefwrite
                                            • String ID: ..\s\crypto\rand\randfile.c$Filename=
                                            • API String ID: 4260490851-2201148535
                                            • Opcode ID: 725c6fac1bfe01321c189ffd89e05f613ec65d9189477b0c1f0ec914f71a5224
                                            • Instruction ID: a3d0d02e320b4ba0f144eaa3733559f44646122a6e5ab25d149116d2b54e8cd0
                                            • Opcode Fuzzy Hash: 725c6fac1bfe01321c189ffd89e05f613ec65d9189477b0c1f0ec914f71a5224
                                            • Instruction Fuzzy Hash: B8317072B1AA8782E720EB15E461BA96391FF44748F444035EA2D477F9EF3CE549CB00
                                            Function 00007FF611796D20 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                            • String ID:
                                            • API String ID: 995526605-0
                                            • Opcode ID: ab8c9bcb3de3276d530732498f7a74dde8d241811306e57849d617d73cd82281
                                            • Instruction ID: 33e3dfd30ae3986983cf226a419761b4a119afd9c026720583e9fbf84302dbfe
                                            • Opcode Fuzzy Hash: ab8c9bcb3de3276d530732498f7a74dde8d241811306e57849d617d73cd82281
                                            • Instruction Fuzzy Hash: 67212121A0CE4642EB609B55A45423AA3A8EF85BB0F544335EA7D83BE6DF6CD48DC700
                                            Function 00007FF6117AACD0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value$ErrorLast
                                            • String ID:
                                            • API String ID: 2506987500-0
                                            • Opcode ID: 2d7e9b92152e969ab98a5bc7bfa55def46723a2a205e91dfbdb8d38609dd549d
                                            • Instruction ID: 3bcec154fce652324c8f7eacfcd2a92fc4829508883db53259a7c345ab0b1eb5
                                            • Opcode Fuzzy Hash: 2d7e9b92152e969ab98a5bc7bfa55def46723a2a205e91dfbdb8d38609dd549d
                                            • Instruction Fuzzy Hash: 12218E20A0CE9642FB6873217651179125D8F54FB1F184A35E97EC77EBDE2CF4884740
                                            Function 00007FF6117B7DCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                            • String ID: CONOUT$
                                            • API String ID: 3230265001-3130406586
                                            • Opcode ID: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                            • Instruction ID: 25b219464e5f5f692938f68b929ee57625f65ae5bec54e8a265d5924e5adc112
                                            • Opcode Fuzzy Hash: cde044b729814a6b4b389e6e013c9bdbf801f90403088e59f1e1d6a2ccecc8e7
                                            • Instruction Fuzzy Hash: 74114C21B18E4686E7608B52A844329A6A8FB88FF4F048634EE5DC7795DF7CD8488748
                                            Function 00007FFE10232950 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$Arg_Keywords_MallocMem_MemoryParseSizeStringTuple
                                            • String ID: Invalid filter specifier for delta filter$|OO&
                                            • API String ID: 2032770062-2010576982
                                            • Opcode ID: fa421c5f08331c56c3117a4889c53acac59b30255491a91a75089aa16e5440a2
                                            • Instruction ID: 9dcae383168fac1c96c4220ac52e08228c6be6f21c7a9f4b77f496a27c3a002f
                                            • Opcode Fuzzy Hash: fa421c5f08331c56c3117a4889c53acac59b30255491a91a75089aa16e5440a2
                                            • Instruction Fuzzy Hash: 2411F271A08F4686EA048F52F89016A7BB4FBC9B60F9041BAEA9D43375DF3CE558D700
                                            Function 00007FFE10232A00 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$Arg_Keywords_MallocMem_MemoryParseSizeStringTuple
                                            • String ID: Invalid filter specifier for BCJ filter$|OO&
                                            • API String ID: 2032770062-3728029529
                                            • Opcode ID: 0ef78aed039e5b378a0aebbe228081d0993ff2e920a3cc964f14a742340c744c
                                            • Instruction ID: 3548d265f7cce33ac94d274e2ed32ef84bd3ca5ca38848bb52652813af5eabbe
                                            • Opcode Fuzzy Hash: 0ef78aed039e5b378a0aebbe228081d0993ff2e920a3cc964f14a742340c744c
                                            • Instruction Fuzzy Hash: 38011771A08F469AEA108F52E89016A7BB0FBC97A0F8000B9EB5E47371DF3CE549D700
                                            Function 00007FFDFB1346C9 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 217COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmove
                                            • String ID: )$..\s\crypto\evp\p5_crpt.c$assertion failed: EVP_CIPHER_iv_length(cipher) <= 16$assertion failed: EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
                                            • API String ID: 2162964266-3025833483
                                            • Opcode ID: d4c1e3f06c2810839b8112079928d9e6766f37ae9ec5cf3b44562ddb7b1bd44c
                                            • Instruction ID: 04eee987a736165c46177c7e860c9a6663074601ea587c27a7bda678321cc069
                                            • Opcode Fuzzy Hash: d4c1e3f06c2810839b8112079928d9e6766f37ae9ec5cf3b44562ddb7b1bd44c
                                            • Instruction Fuzzy Hash: 49919762F1E94749EB60EB1594A1FBA6390EF447C4F449031E96D87AEDEF3CE4458B00
                                            Function 00007FFDFB35FA80 Relevance: 9.1, APIs: 7, Instructions: 327stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FB9A
                                            • strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FBC8
                                            • strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FBDC
                                            • strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FDB4
                                            • strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FDC4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strchr
                                            • String ID:
                                            • API String ID: 2830005266-0
                                            • Opcode ID: b47ed86f5467abe1a2b598f8d36dc161c19d63e871b7563a1b6bed335e2f929c
                                            • Instruction ID: 584477234f7b2e9b259b099500e5c3da6cb3cc254591e764dcdc37ef7395dea6
                                            • Opcode Fuzzy Hash: b47ed86f5467abe1a2b598f8d36dc161c19d63e871b7563a1b6bed335e2f929c
                                            • Instruction Fuzzy Hash: 9EB12022B4A58743FB51AB29D0A4A7863D1EB45BA0F494131DF6C477EADE2DFCC68300
                                            Function 00007FF611797490 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00007FF611796D20: GetCurrentProcess.KERNEL32 ref: 00007FF611796D40
                                              • Part of subcall function 00007FF611796D20: OpenProcessToken.ADVAPI32 ref: 00007FF611796D53
                                              • Part of subcall function 00007FF611796D20: GetTokenInformation.ADVAPI32 ref: 00007FF611796D78
                                              • Part of subcall function 00007FF611796D20: GetLastError.KERNEL32 ref: 00007FF611796D82
                                              • Part of subcall function 00007FF611796D20: GetTokenInformation.ADVAPI32 ref: 00007FF611796DC2
                                              • Part of subcall function 00007FF611796D20: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF611796DDE
                                              • Part of subcall function 00007FF611796D20: CloseHandle.KERNEL32 ref: 00007FF611796DF6
                                            • LocalFree.KERNEL32(00000000,00007FF611792A89), ref: 00007FF61179751C
                                            • LocalFree.KERNEL32 ref: 00007FF611797525
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                            • API String ID: 6828938-1529539262
                                            • Opcode ID: 5e81501040e639016633110d7dcf39a24e93b3ab722f428aa23c19e56a2a7eac
                                            • Instruction ID: b7f04f10f9e51e35868b4b8b928ce5efcc98b1c620c67847ed1f68f1b9d7536a
                                            • Opcode Fuzzy Hash: 5e81501040e639016633110d7dcf39a24e93b3ab722f428aa23c19e56a2a7eac
                                            • Instruction Fuzzy Hash: D0212D21A08F8682EB50AB11E4253FA6269FF88BB0F544435EA4D83797DF3CE94DC740
                                            Function 00007FF6117AAE48 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAE57
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAE8D
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAEBA
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAECB
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAEDC
                                            • SetLastError.KERNEL32(?,?,?,00007FF6117AB111,?,?,?,?,00007FF6117AA012,?,?,?,?,00007FF6117A6F2B), ref: 00007FF6117AAEF7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value$ErrorLast
                                            • String ID:
                                            • API String ID: 2506987500-0
                                            • Opcode ID: cc964c4150d7d1fd02e5e9c39ce5e1c415a6b070cf0dbb5d7f55af31f0ea2871
                                            • Instruction ID: 2a61e0e78f42e85f6d840189adcf355e146b203bb6b7cee2ca21609bb6b4c9e0
                                            • Opcode Fuzzy Hash: cc964c4150d7d1fd02e5e9c39ce5e1c415a6b070cf0dbb5d7f55af31f0ea2871
                                            • Instruction Fuzzy Hash: 2A115E20A0CE9386FB64A7217652179528D9F98FB0F184A34EA3EC77E7DE2DE4494300
                                            Function 00007FFE005130C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_ctrlmemcpy
                                            • String ID: $..\s\ssl\statem\statem_lib.c$hrT
                                            • API String ID: 2266715306-124071247
                                            • Opcode ID: 94b2300ca8d4328314ef267dbec22fbee9e8f37e9b41386444846a743c27fc1e
                                            • Instruction ID: be1aa2a20ea8ba3d20cd52f1543730428e17d7d8cfdb3f45217bda1a9ccd721e
                                            • Opcode Fuzzy Hash: 94b2300ca8d4328314ef267dbec22fbee9e8f37e9b41386444846a743c27fc1e
                                            • Instruction Fuzzy Hash: C441AC72A09B8196EB608F15D8903BD77A2FB45B84F144132DB8C87769DF39D6A5C700
                                            Function 00007FFE102324C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            APIs
                                            • PySequence_Size.PYTHON38(?,?,?,00007FFE1025E9A6), ref: 00007FFE102324D3
                                            • PySequence_GetItem.PYTHON38(?,?,?,00007FFE1025E9A6), ref: 00007FFE1023251A
                                              • Part of subcall function 00007FFE102325B0: PyMapping_Check.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102325C0
                                              • Part of subcall function 00007FFE102325B0: PyMapping_GetItemString.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102325DD
                                              • Part of subcall function 00007FFE102325B0: PyLong_AsUnsignedLongLong.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE102325EE
                                              • Part of subcall function 00007FFE102325B0: PyErr_Occurred.PYTHON38(?,?,00000000,00007FFE10232533,?,?,?,00007FFE1025E9A6), ref: 00007FFE10232601
                                            • PyErr_Format.PYTHON38(?,?,?,00007FFE1025E9A6), ref: 00007FFE1025EF9F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_ItemLongMapping_Sequence_$CheckFormatLong_OccurredSizeStringUnsigned
                                            • String ID: Too many filters - liblzma supports a maximum of %d
                                            • API String ID: 1062705235-2617632755
                                            • Opcode ID: 4459f336550b240c1d24229e3e14dc03f1754a077f4250cedb58da6382437637
                                            • Instruction ID: 59191c2d490999a98c6ea50979a019ce180d4824779bcc7a2750fa43758f9bd8
                                            • Opcode Fuzzy Hash: 4459f336550b240c1d24229e3e14dc03f1754a077f4250cedb58da6382437637
                                            • Instruction Fuzzy Hash: 53218071B08E4285EA189B17A8541796A60AFCABB0F584370EF7D4A7F6DE7CD545C300
                                            Function 00007FFE10233180 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$Long_OccurredStringSubtypeType_
                                            • String ID: integer argument expected, got float
                                            • API String ID: 2189724892-1398504098
                                            • Opcode ID: 1cdcb7e1e1279fcf9c401523af9526fe535f329ecaa8ce7852f48f8ec810e101
                                            • Instruction ID: 9c7e8d2b9d92662a5b28b134ef680343d64f0df7c6a380914885ea3899aa6a54
                                            • Opcode Fuzzy Hash: 1cdcb7e1e1279fcf9c401523af9526fe535f329ecaa8ce7852f48f8ec810e101
                                            • Instruction Fuzzy Hash: 7EF03150F18D0381EA945B23D8D44792B61AFC8B74F1885B1DF2E863B7EE6CA444D204
                                            Function 00007FFE1025EB33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Unsupported integrity check
                                            • API String ID: 3780363260-3454164307
                                            • Opcode ID: c9236914fbf2916ce7bec666f20f7297e269de2a41c3dd07e7ff94ace4e4c810
                                            • Instruction ID: ee6d6113e64ca7296446140d67d7a9573bca8045ec49e8336d568cf743df0ef5
                                            • Opcode Fuzzy Hash: c9236914fbf2916ce7bec666f20f7297e269de2a41c3dd07e7ff94ace4e4c810
                                            • Instruction Fuzzy Hash: EF010C26A08E82C6E6A08B12E49036A7771FBC8B61F544072DF9E87B35CF2CD485D700
                                            Function 00007FFE1025EBB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Input format not supported by decoder
                                            • API String ID: 3780363260-2498158508
                                            • Opcode ID: 3dc34f400a3543afd8da52d877a606fcfd968b6e7434e0a289834576c074593b
                                            • Instruction ID: e838898ca1fbd0f20dbd12138d522c972847db789d937842168441eb9cb6578b
                                            • Opcode Fuzzy Hash: 3dc34f400a3543afd8da52d877a606fcfd968b6e7434e0a289834576c074593b
                                            • Instruction Fuzzy Hash: 25010C26A08E82C6E6A08B12E49036A7731FBC8B61F544072DF9E46B35CF2CD485D700
                                            Function 00007FFE1025EB9D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Memory usage limit exceeded
                                            • API String ID: 3780363260-1638410013
                                            • Opcode ID: 9aaf4d92e4b927d9b0bbbf8dd5c1f36057a399f35a198dfc4bafd0c8265aacb2
                                            • Instruction ID: 20cf3f9d7b2316067eff5ff3b3fce249cdefc99ded3432350713f1143cd30515
                                            • Opcode Fuzzy Hash: 9aaf4d92e4b927d9b0bbbf8dd5c1f36057a399f35a198dfc4bafd0c8265aacb2
                                            • Instruction Fuzzy Hash: B2010C26A08E82C6E6A08B12E49036A7731FBC8B61F544072DF9E46B35CF2CD485D700
                                            Function 00007FFE1025EBF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Insufficient buffer space
                                            • API String ID: 3780363260-987315658
                                            • Opcode ID: 96342516e8452b89ff55a75f9f1aa8439069f530e6c6e5036b8e8c47cea8edf6
                                            • Instruction ID: 4cf803350cb601dcf6dcb86b99037b16598f1fa1b380375602154fb286386cd9
                                            • Opcode Fuzzy Hash: 96342516e8452b89ff55a75f9f1aa8439069f530e6c6e5036b8e8c47cea8edf6
                                            • Instruction Fuzzy Hash: DB010C26A08E82C6E6A08B12E49036A7771FBC8B61F544072DF9E47B35CF2CD485D700
                                            Function 00007FFE1025EBE2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Corrupt input data
                                            • API String ID: 3780363260-1997879327
                                            • Opcode ID: f863919795ded00ea412255881abd07bae1dcc1d3e6aad2990c01de307175a1d
                                            • Instruction ID: 69baf4f8cea56f478a2fe147ae252bd9d3780b7d5008663d1c10ef3b9d475169
                                            • Opcode Fuzzy Hash: f863919795ded00ea412255881abd07bae1dcc1d3e6aad2990c01de307175a1d
                                            • Instruction Fuzzy Hash: BF010C26A08E82C6E6A08B12E49036A7731FBC8B61F544072DF9E86B35CF2CD485D700
                                            Function 00007FFE1025EBCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Invalid or unsupported options
                                            • API String ID: 3780363260-274431047
                                            • Opcode ID: de42db793e3ec37328b47df9abd4bf626047082bbcd85b1e51d46772b90d7561
                                            • Instruction ID: 90ccc55e095c26fe7acef54fb68bd6f063c61887dcda5aeb566fe4158005fbb3
                                            • Opcode Fuzzy Hash: de42db793e3ec37328b47df9abd4bf626047082bbcd85b1e51d46772b90d7561
                                            • Instruction Fuzzy Hash: 5E010C26A08E82C6E6A08B12E49036A7731FBC8B65F544072DF9E46B35CF2CD485D700
                                            Function 00007FFE1025EC0E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_String$Buffer_Bytes_DeallocEval_ReleaseResizeRestoreThreadThread_release_lock
                                            • String ID: Internal error
                                            • API String ID: 3780363260-1721229332
                                            • Opcode ID: 0db672a2182b59816fdaf7ffb46dfd10aa169c5e0c4ac592e782085e0717793d
                                            • Instruction ID: 564303a9d750d72c818b59206f25de28435c62659bf68f59c16f8e976896c357
                                            • Opcode Fuzzy Hash: 0db672a2182b59816fdaf7ffb46dfd10aa169c5e0c4ac592e782085e0717793d
                                            • Instruction Fuzzy Hash: 47010C26A08E82C6E6A08B12E49036A7731FBC8B65F544072DF9E46B35CF2CD485D700
                                            Function 00007FF6117A9640 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                            • Instruction ID: cb1a9326ebf2d23a89fe5d85a98fde3f1f6e39f9c544c941879497e7372f368e
                                            • Opcode Fuzzy Hash: 45ee2f7fa3d995a22adc73900efbbf06770fa7974e288ce688b1fb42a76d11f5
                                            • Instruction Fuzzy Hash: C6F06D25A09E0685EB248B24E8443796368FF89FB1F584636DA6EC63F5EF2CD04DC704
                                            Function 00007FFDFB133247 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 268stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmovememsetstrncpy
                                            • String ID: ..\s\crypto\x509\x509_obj.c$0123456789ABCDEF$NO X509_NAME
                                            • API String ID: 899670095-3422593365
                                            • Opcode ID: 5385da122bbb7b066bb6c475dcb2dcd82016b5d15de2754887e7cb5ba9eb8ce6
                                            • Instruction ID: 56985a143d49d9970f34c8785794f0a7e223cc0dade8dbc4825bc511f434e4db
                                            • Opcode Fuzzy Hash: 5385da122bbb7b066bb6c475dcb2dcd82016b5d15de2754887e7cb5ba9eb8ce6
                                            • Instruction Fuzzy Hash: E8B1BF22B4A68786EB11AB159460F7ABBD0EB44B98F084135EE6D477F9DF3CF4848740
                                            Function 00007FFDFB135362 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 166COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmove
                                            • String ID: ..\s\crypto\pem\pem_lib.c$;$Enter PEM pass phrase:
                                            • API String ID: 2162964266-3733131234
                                            • Opcode ID: 8a61b3c6a358ae9897c4f46a3d158109fb8a417a44eb08eaed83332f1f5fbda0
                                            • Instruction ID: d7fc9878e87224e5ed1804240bb3e724aa43c044b0cb9fd21aeeae3826b38d28
                                            • Opcode Fuzzy Hash: 8a61b3c6a358ae9897c4f46a3d158109fb8a417a44eb08eaed83332f1f5fbda0
                                            • Instruction Fuzzy Hash: C6719266B0EA8386E720AB51E464BAE6390FB48798F440135DA6D83AEDDF3CD541CB40
                                            Function 00007FFE10231C90 Relevance: 7.6, APIs: 5, Instructions: 99threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Bytes_Eval_Thread$FromResizeRestoreSaveSizeString
                                            • String ID:
                                            • API String ID: 2554473309-0
                                            • Opcode ID: f358026c78e03692aa2b957863cca0f242da1a32616e07f57893ced6fb404eb5
                                            • Instruction ID: 47e9c9f5c81b8cd90419c3bb6c5039e7a85d193a56dbc3533b2139d2d71e6dc1
                                            • Opcode Fuzzy Hash: f358026c78e03692aa2b957863cca0f242da1a32616e07f57893ced6fb404eb5
                                            • Instruction Fuzzy Hash: 56416022A08F4696DA649F26E44007A67B4FB89BB4F244671DF9D47BE6DF3CE461C200
                                            Function 00007FFE1025F360 Relevance: 7.6, APIs: 5, Instructions: 99threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Bytes_Eval_Thread$DeallocFromResizeRestoreSaveSizeString
                                            • String ID:
                                            • API String ID: 3580876587-0
                                            • Opcode ID: 6103999a348e447a083171d0ed3e444c4b34bee2853b2aa2352caff6c9bdfb08
                                            • Instruction ID: 41c7243879cd6bc9d974ff616a59d2fa7ebae1063e63544028ea9ed4aa2a80b2
                                            • Opcode Fuzzy Hash: 6103999a348e447a083171d0ed3e444c4b34bee2853b2aa2352caff6c9bdfb08
                                            • Instruction Fuzzy Hash: 4C4190B2A09F8182EAA0DB26E4445BA67A5FB847B4F1501B1DF8D437B6EF7CD441C304
                                            Function 00007FF6117B9450 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _set_statfp
                                            • String ID:
                                            • API String ID: 1156100317-0
                                            • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                            • Instruction ID: dba230ddca21015c900b2957e84065537ecf035859803f22bece59ab0e606896
                                            • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                            • Instruction Fuzzy Hash: F41191E6E1CE0305F7941168E44637B10486F94BB4F488634E97EC63D7FF2CA948410C
                                            Function 00007FF6117AAF10 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF2F
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF4E
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF76
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF87
                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6117AA167,?,?,00000000,00007FF6117AA402,?,?,?,?,?,00007FF6117AA38E), ref: 00007FF6117AAF98
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: d246c606bfef7ccb900317a1d308824ad35ed6390cb625aade358294dfc708cf
                                            • Instruction ID: 583de37c3a94eb728e4dc056f91ae1ba1127fcf17bf3f3b9e2c538b7d3ae6d0e
                                            • Opcode Fuzzy Hash: d246c606bfef7ccb900317a1d308824ad35ed6390cb625aade358294dfc708cf
                                            • Instruction Fuzzy Hash: EE116A60B0CA9246FB58A326B651179629D9F94BB0F0C4A35E93EC67F7DE2CE5498300
                                            Function 00007FF6117AADA4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: d08938828d760f30092a1b3a417574d699fcdce62774d40d0c6dd9a0552b97ef
                                            • Instruction ID: 78cfdb697633f3d7c6f4c59363e699266cc1d17dbd6fa986420638569b40e786
                                            • Opcode Fuzzy Hash: d08938828d760f30092a1b3a417574d699fcdce62774d40d0c6dd9a0552b97ef
                                            • Instruction Fuzzy Hash: 0E111C20A0D99742FBA8B2316412179114E4F58F30F1C0B34DA3ECA3E3DD2DF5494351
                                            Function 00007FFE004C1235 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X509_$E_dupE_freeL_sk_new_nullL_sk_pushX509_get_subject_name
                                            • String ID:
                                            • API String ID: 2231116090-0
                                            • Opcode ID: c41713e368b79c33d05bb3de17cf1036769a1e5421eaeaa7542ce816bf5c8952
                                            • Instruction ID: 7bd856f35d050e72242bdb2db5fbd4eb43047db7c599ebc7270456255784556e
                                            • Opcode Fuzzy Hash: c41713e368b79c33d05bb3de17cf1036769a1e5421eaeaa7542ce816bf5c8952
                                            • Instruction Fuzzy Hash: 4E017112F0A64244FEA5A766A5163BD12909F59BC0F144031FF4D467EFEE2CE4A25706
                                            Function 00007FFE004C22C0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X509_$E_dupE_freeL_sk_new_nullL_sk_pushX509_get_subject_name
                                            • String ID:
                                            • API String ID: 2231116090-0
                                            • Opcode ID: 5ee080137543751e1988c36c2b9cb74d50e501e58fba2acd7343e04b4d75a3e6
                                            • Instruction ID: 2d60d9b9105a7c24bfd9b0d6ac1d3d1ad2a0c9348ff98cb5d42516efd6d2e6fb
                                            • Opcode Fuzzy Hash: 5ee080137543751e1988c36c2b9cb74d50e501e58fba2acd7343e04b4d75a3e6
                                            • Instruction Fuzzy Hash: 63014B11E0A64244FEA5B6A695163B902A05F66BC0F148031EB4D4A7FFEE2CE4625346
                                            Function 00007FFE004C11DB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 266COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: D_size$_time64
                                            • String ID: ..\s\ssl\statem\extensions_clnt.c
                                            • API String ID: 2874025382-592572767
                                            • Opcode ID: fa50c9ab131934f670f17822c91ebd140dcab2364f763e0fc92996a2bb54e336
                                            • Instruction ID: 40a9515d93e61bf9412bfbd788194520561d4a5d767a08155b87bcc3d123a66c
                                            • Opcode Fuzzy Hash: fa50c9ab131934f670f17822c91ebd140dcab2364f763e0fc92996a2bb54e336
                                            • Instruction Fuzzy Hash: E5B19D32A0874285FBA49A12E5407BE6294EB46B85F084035DF4D97BBEDF7CE442CB49
                                            Function 00007FF6117A5DC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: verbose
                                            • API String ID: 3215553584-579935070
                                            • Opcode ID: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                            • Instruction ID: 5f55a9273b2b2ed18e58bace7396fafa9c60418f11f6172272f71a967701ace1
                                            • Opcode Fuzzy Hash: db001d0b7e8f7bba3f17a0e80451e4d7df515b3a5593d2b47e06f42f007c2e84
                                            • Instruction Fuzzy Hash: B3919F32A08E4681F7619E25E45077E37ADAB44FA4F4C8136EA5AC73E6DF3DE4498301
                                            Function 00007FF6117AFAC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _invalid_parameter_noinfo
                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                            • API String ID: 3215553584-1196891531
                                            • Opcode ID: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                            • Instruction ID: ea87d8ab0ee6d0517786d7086448a4550feee81431450d7fffff2be46404429d
                                            • Opcode Fuzzy Hash: 150c0761ae2a60fcacf4f563602d34e283ae5762a11513620c4a6975bd049ac1
                                            • Instruction Fuzzy Hash: EA81C172E0CA0385F7658F2AA15027C26A8AB10F64F5D8031DE4AD77E7DF2DE9499343
                                            Function 00007FFDFB2D52B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 164COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,Reason=$..\s\crypto\ocsp\ocsp_ht.c$Code=
                                            • API String ID: 0-3537114172
                                            • Opcode ID: b05bd1bd0823b7d4bde059b30b02652f3a75194b8faeb629df42197b3327e635
                                            • Instruction ID: 0ca4d4cb8f6adc16e459a739e39507f471626fd29c810d0053ab155529ce495e
                                            • Opcode Fuzzy Hash: b05bd1bd0823b7d4bde059b30b02652f3a75194b8faeb629df42197b3327e635
                                            • Instruction Fuzzy Hash: D1610462B0E59342F7208B25D020B7D67D0AF49349F588035DFAD83AEDEFADE8558701
                                            Function 00007FF61179BA78 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                            • Instruction ID: bddc54467b4aa965f7cb4e303e0fcd5145737d5b1d00615e9b6d298c8d7ede87
                                            • Opcode Fuzzy Hash: 2b651edb78efaeb316ac5de78849fde0daa8bdd7bfc86cfa6ef8cb3431ad488b
                                            • Instruction Fuzzy Hash: 2751AF32A19E4A8ADB24CF15D464E393799EB44FB8F908131DA4D8778ADF7DE849C700
                                            Function 00007FF61179D308 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslator
                                            • String ID: MOC$RCC
                                            • API String ID: 3544855599-2084237596
                                            • Opcode ID: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                            • Instruction ID: b45cc752f176ba943385e09f391bfeeffde5ce2600cc850fdca4609bc3e73dbd
                                            • Opcode Fuzzy Hash: fa0bcca0a4098b59133448382c677b9a55906fb86c6f234dcd4a21c8a5653ac7
                                            • Instruction Fuzzy Hash: 29619332908FC981EB609B15E4503AEB7A4FB84BA8F544225EF9C47756DF7CE198CB00
                                            Function 00007FF61179D6B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3896166516-3733052814
                                            • Opcode ID: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                            • Instruction ID: 74fc7937e63b1e2a51c66fef471e9dd20de504155d18da64f15f59c47cebff25
                                            • Opcode Fuzzy Hash: b11368fb803353e75de70a3c6cdb7d5ad95833e40dd5f9cce2c99e2783eb0f67
                                            • Instruction Fuzzy Hash: E5517F32908B8A86EB649F21D16466C77A8EB55FB4F144135DA8C87B87CF3CE45D8701
                                            Function 00007FFDFB13164F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BIO[%p]: $bio callback - unknown type (%d)
                                            • API String ID: 0-3830480438
                                            • Opcode ID: 4afee7bd10897ec1c9191cccd40aa8cd3ea93c58207027288c1b4b552a677a83
                                            • Instruction ID: 88c01a661602ad031daebd6f43dd6642ff8bf60b2f3d354132df49bac877e4c8
                                            • Opcode Fuzzy Hash: 4afee7bd10897ec1c9191cccd40aa8cd3ea93c58207027288c1b4b552a677a83
                                            • Instruction Fuzzy Hash: 5931F922F0E5C286FB109B55E860BF96B50BB49788F544031DE5E43BE9EE3CD445C700
                                            Function 00007FFDFB13733D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ..\s\crypto\bio\b_sock.c$J$host=
                                            • API String ID: 0-1729655730
                                            • Opcode ID: 47c790b03e55e6e4d83fd1d575947752d2d6f00f3a774c6d67943214df86b8b3
                                            • Instruction ID: 8e5a73a5eb5457778d2a813a12fbd42313c8684aee26f1ecb116777556f0f2c2
                                            • Opcode Fuzzy Hash: 47c790b03e55e6e4d83fd1d575947752d2d6f00f3a774c6d67943214df86b8b3
                                            • Instruction Fuzzy Hash: CD319337F0995382EB10AB55E06196AA360FB84798F580035EB5C477EEEE7DD585CB00
                                            Function 00007FF611796700 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNEL32(00000000,?,00007FF61179240C,?,?,00007FF611792BD3), ref: 00007FF611796812
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CreateDirectory
                                            • String ID: %.*s$%s%c$\
                                            • API String ID: 4241100979-1685191245
                                            • Opcode ID: 6e5035dbc1b852fd1acf17fbddd39f3d5f0da3e0774f47cd658e59bf52890ea1
                                            • Instruction ID: 4d9d2045692d8bcfe043c43dd09c344802413e95af00abbe8a0dbcc2da137507
                                            • Opcode Fuzzy Hash: 6e5035dbc1b852fd1acf17fbddd39f3d5f0da3e0774f47cd658e59bf52890ea1
                                            • Instruction Fuzzy Hash: 2F313261A19EC945EB219B21A460BAA625DEB48FF0F444231EA6D877C6EE2CD64DC700
                                            Function 00007FFE10232AA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • PyDict_New.PYTHON38(?,?,00000000,00007FFE10231A66,?,?,?,?,?,?,00007FFE1023112A), ref: 00007FFE10232AAD
                                              • Part of subcall function 00007FFE10232B80: PyLong_FromUnsignedLongLong.PYTHON38(?,?,?,00007FFE10232AD1,?,?,00000000,00007FFE10231A66,?,?,?,?,?,?,00007FFE1023112A), ref: 00007FFE10232B98
                                              • Part of subcall function 00007FFE10232B80: _PyDict_SetItemId.PYTHON38(?,?,?,00007FFE10232AD1,?,?,00000000,00007FFE10231A66,?,?,?,?,?,?,00007FFE1023112A), ref: 00007FFE10232BAF
                                            • _Py_Dealloc.PYTHON38(?,?,00000000,00007FFE10231A66,?,?,?,?,?,?,00007FFE1023112A), ref: 00007FFE1025F0B6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Dict_Long$DeallocFromItemLong_Unsigned
                                            • String ID: Invalid filter ID: %llu
                                            • API String ID: 3105680221-255534617
                                            • Opcode ID: 60bdc1e31c91d3b76e71bb2a94e1fbb3750eb1f469bec9c9da8f4c1cb211f831
                                            • Instruction ID: a25f4b30309a57e7f977683172dae3281abbeb57945ffbb5a137b8408274d8f1
                                            • Opcode Fuzzy Hash: 60bdc1e31c91d3b76e71bb2a94e1fbb3750eb1f469bec9c9da8f4c1cb211f831
                                            • Instruction Fuzzy Hash: 13314D74A08F4384E9648B6794505B86B61AFC6BB4F5846B2DF2D073F7EE2CE495C300
                                            Function 00007FFE004EE2D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 1767461275-1080266419
                                            • Opcode ID: 8ed6caef93683bf4b8a98ed2e08f80cefba686f38e3a2f9cc98da2c97e71c934
                                            • Instruction ID: d855d499129d5e10974c4d1dad1b6205f106adc6f1b17c46c4d488fc142b272b
                                            • Opcode Fuzzy Hash: 8ed6caef93683bf4b8a98ed2e08f80cefba686f38e3a2f9cc98da2c97e71c934
                                            • Instruction Fuzzy Hash: 5A312A32A08B8186E760DB16E4442A977A0FB88B94F544136EF8D477BECF3DE451CB04
                                            Function 00007FFDFB1311B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLastacceptclosesocket
                                            • String ID: ..\s\crypto\bio\b_sock2.c
                                            • API String ID: 3541127826-3200932406
                                            • Opcode ID: a0d087fa52a12e7d85f3580391e0b416d0ed29d7fca10318948e78b990ae4c56
                                            • Instruction ID: 232df12327d82a4dfe94420b02d3395039068320fa61edc5627248cd3dc93708
                                            • Opcode Fuzzy Hash: a0d087fa52a12e7d85f3580391e0b416d0ed29d7fca10318948e78b990ae4c56
                                            • Instruction Fuzzy Hash: 10210632F0A94782FB10AB25E921AB96291EF44B9CF540231E97E477EDDF3CE4448700
                                            Function 00007FF611791ED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFormatLastMessage
                                            • String ID: %ls: %ls$<FormatMessageW failed.>
                                            • API String ID: 3479602957-1483686772
                                            • Opcode ID: ce471f065344242f80e8e4fce995234d15c7919f1d37abcf6bc16450676127a6
                                            • Instruction ID: 6f648042d55d8673d8ff9d4bc10f470366e9e4764e93b1f713b811e8d412e53c
                                            • Opcode Fuzzy Hash: ce471f065344242f80e8e4fce995234d15c7919f1d37abcf6bc16450676127a6
                                            • Instruction Fuzzy Hash: 8C11A072B08F4185F7209B12B8047AA6758BB88BE4F084135EE8E877AADF3CD54D8740
                                            Function 00007FFE004C118B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_new
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 458078758-1080266419
                                            • Opcode ID: ce70231a05faa6ea60785fe4a50d45faf556dfad7a4d223e9885db2279cdee14
                                            • Instruction ID: add076c3626cbc3fb097138d0a57b7985b9277914dc8cc3793f50ebacce5a963
                                            • Opcode Fuzzy Hash: ce70231a05faa6ea60785fe4a50d45faf556dfad7a4d223e9885db2279cdee14
                                            • Instruction Fuzzy Hash: 01118272F1968282FB60DB55F5113B963A0EF55780F480130EB0D0BBAAEF3DE4918604
                                            Function 00007FFE004C215D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: L_sk_new_nullL_sk_pushR_put_error
                                            • String ID: ..\s\ssl\ssl_cert.c
                                            • API String ID: 1176158178-349359282
                                            • Opcode ID: 0a3b552f5ca6a268bae9eaa8a2172cf1cdbbb838257c9cdae93c13a70190e42f
                                            • Instruction ID: de42515ad9fed3868dd446519859e9f04aa9a7813ff8fb1c7ff8e1b6e6469ac1
                                            • Opcode Fuzzy Hash: 0a3b552f5ca6a268bae9eaa8a2172cf1cdbbb838257c9cdae93c13a70190e42f
                                            • Instruction Fuzzy Hash: 6C11CE22B09642C2FFA68B61E0003BA52E0EF45B84F094136EF9C47BBEDF3CE4408604
                                            Function 00007FFE004C238D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X_copy_exX_new
                                            • String ID: ..\s\ssl\statem\statem_lib.c$O
                                            • API String ID: 1626106133-1434326050
                                            • Opcode ID: 5f4293206a971d6092765721914b06ac85581f6223ac3266aa22e74197d123ed
                                            • Instruction ID: ae2457a3b613b0ff19e9fb67ff0659282e7026d1c9802bc126c8f0057a6db84b
                                            • Opcode Fuzzy Hash: 5f4293206a971d6092765721914b06ac85581f6223ac3266aa22e74197d123ed
                                            • Instruction Fuzzy Hash: 7101F132B09A0286F7B19B11C8007FE2294DF85744F444530DB8C4A3BAFF3CE5818B10
                                            Function 00007FFE10232900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • PyLong_AsUnsignedLongLong.PYTHON38(?,?,00000006,00007FFE10232728), ref: 00007FFE1023290D
                                            • PyErr_Occurred.PYTHON38(?,?,00000006,00007FFE10232728), ref: 00007FFE10232916
                                            • PyErr_SetString.PYTHON38(?,?,00000006,00007FFE10232728), ref: 00007FFE1025F037
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_Long$Long_OccurredStringUnsigned
                                            • String ID: Value too large for uint32_t type
                                            • API String ID: 944333170-1712686559
                                            • Opcode ID: 928be09b8ed92c83780aac9c18a4cff94996829c3fd42b274272e79d17539c12
                                            • Instruction ID: 047223cf3945ee1dfdcd80f660462488c4397ae9169aef1ac60d0129ebf031ef
                                            • Opcode Fuzzy Hash: 928be09b8ed92c83780aac9c18a4cff94996829c3fd42b274272e79d17539c12
                                            • Instruction Fuzzy Hash: 85F03061B08A0286EB908B26F5D427927A0EF89BA4F5850B0EF5D47766EE7CD494D700
                                            Function 00007FFE1025F4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_Long$Long_OccurredStringUnsigned
                                            • String ID: Value too large for lzma_match_finder type
                                            • API String ID: 944333170-1161044407
                                            • Opcode ID: 1d1255dcbb6058784db9a74a84e4b6e39ec5f0c40d98a33cdfa5fd17b7056ff7
                                            • Instruction ID: 1ff60f324b111ffeae004e75106f7efcb33b7445c7860b02b5984b7dc47fc515
                                            • Opcode Fuzzy Hash: 1d1255dcbb6058784db9a74a84e4b6e39ec5f0c40d98a33cdfa5fd17b7056ff7
                                            • Instruction Fuzzy Hash: 02F0F861A08A4282EB904F17F4D45792BA0AF88BA5F4850B4EF5E47332EE7CE494D704
                                            Function 00007FFE1025F52C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_Long$Long_OccurredStringUnsigned
                                            • String ID: Value too large for lzma_mode type
                                            • API String ID: 944333170-1290617251
                                            • Opcode ID: 6ae411187f74e92b29b62ade70f70eefa9ac204fbe687de74108c1616ed90af8
                                            • Instruction ID: 00349925e3575123d540d48ce47e866cd7f678fdf9794f4913e39ff6919421fe
                                            • Opcode Fuzzy Hash: 6ae411187f74e92b29b62ade70f70eefa9ac204fbe687de74108c1616ed90af8
                                            • Instruction Fuzzy Hash: D7F0FE61A09A4281EB904F16F4D457927A0AF88BE5F4444B4EF1D46372EE7CE494D704
                                            Function 00007FFDFB34E9B0 Relevance: 6.5, APIs: 5, Instructions: 218COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memcmp
                                            • String ID:
                                            • API String ID: 1475443563-0
                                            • Opcode ID: 8f8bb78f2a2637a729eadb8f3da555a761f623b2f8a1b02fd96e3a6437f90bd1
                                            • Instruction ID: edcda4a4fc6805b4c69f288f9108b227c18234642f0aef9a55be72d804884ef3
                                            • Opcode Fuzzy Hash: 8f8bb78f2a2637a729eadb8f3da555a761f623b2f8a1b02fd96e3a6437f90bd1
                                            • Instruction Fuzzy Hash: 9881B361B496A3C2FB24BA26D5609BE27E1BF447C8F445431CE2D5BAEDEE28E545C300
                                            Function 00007FFDFB132E4B Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 368COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memset
                                            • String ID: ..\s\crypto\sm2\sm2_crypt.c$@
                                            • API String ID: 2221118986-485510600
                                            • Opcode ID: 9b76af12ca34233910d954af12114e888bc4baa977a932fad650a07575b86026
                                            • Instruction ID: cba4bc86651f4b022fa2b4343283962724a3770a4b60e332f76822fe4bb72fd4
                                            • Opcode Fuzzy Hash: 9b76af12ca34233910d954af12114e888bc4baa977a932fad650a07575b86026
                                            • Instruction Fuzzy Hash: D5F16132B0EA8782EB20AB15E4609A967A0FF85BC8F484135DE9D477E9EF3DD545C700
                                            Function 00007FF6117AC220 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                            • String ID:
                                            • API String ID: 2718003287-0
                                            • Opcode ID: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                            • Instruction ID: 73314b66c3180893bc0000a97116e1a8d181f279b31c4593561f92fae21e22ea
                                            • Opcode Fuzzy Hash: a359b4e95e1d4ffdf3b75e0a15f8e2470d7a7d379ae339a26f7f920b930d4175
                                            • Instruction Fuzzy Hash: 4CD1E672B08E4199E711CF75E5402AC37B9FB44FA8B184235DE5D97B9ADE38E41AC300
                                            Function 00007FF6117ACBE0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6117ACBCB), ref: 00007FF6117ACCFC
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6117ACBCB), ref: 00007FF6117ACD87
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ConsoleErrorLastMode
                                            • String ID:
                                            • API String ID: 953036326-0
                                            • Opcode ID: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                            • Instruction ID: 4ddfd0f4f596ffa7f4a4312e86d01ef10fe70b89c54b84b57ee22b55731100b5
                                            • Opcode Fuzzy Hash: c31540d1621b960633301173278a43c162921b7fbac8ddbd441109263ef94ee1
                                            • Instruction Fuzzy Hash: F691A672E0CE55A5F750CF65A4402BD2BA8BB44FA8F184139DE0E97BA6DF38D489C740
                                            Function 00007FFDFB1E3450 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 164stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: content-type
                                            • API String ID: 1114863663-3266185539
                                            • Opcode ID: ae43bc9e19824a9c0ccfa239a9b3ece0a99e9b6e12166f0386f4b43ad3c98a77
                                            • Instruction ID: 6cda78ec5f4cfa1a6176f8cf96b9201f9266618bf075ad81cedba0819021ec3e
                                            • Opcode Fuzzy Hash: ae43bc9e19824a9c0ccfa239a9b3ece0a99e9b6e12166f0386f4b43ad3c98a77
                                            • Instruction Fuzzy Hash: C0519123F1EA4341FB629725A560B7A6291AF45BACF441230DE7E477EDEF2CE5428700
                                            Function 00007FF6117AF88C Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight$_isindst
                                            • String ID:
                                            • API String ID: 4170891091-0
                                            • Opcode ID: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                            • Instruction ID: acf96e78ac89aaa758ed90aa082ec795f4bb6c66ffefb05db2cca2ac8bf428e3
                                            • Opcode Fuzzy Hash: fdd97bbf6e68edbfd0100966c197f3e4f5c5660e1dd8c7e86fc9ba11ac3620d6
                                            • Instruction Fuzzy Hash: E0514832F04A128AEB14CF64A9916BC67A9AB01B78F140235DD1DD2BF6DF38E50AC701
                                            Function 00007FFDFB13112C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmove
                                            • String ID: ..\s\crypto\ct\ct_oct.c
                                            • API String ID: 2162964266-1972679481
                                            • Opcode ID: 4d66040413c67724fd92be584df515f0387c0067d9c775b4608149df9a0c3405
                                            • Instruction ID: 4f017b744a4016e950ec9fff18767f3fe2a876819e6f84054ad22b7726625bbe
                                            • Opcode Fuzzy Hash: 4d66040413c67724fd92be584df515f0387c0067d9c775b4608149df9a0c3405
                                            • Instruction Fuzzy Hash: 1971A362B0E69289E715EF2580205BC3BA1FB15F44F084532DE6C477EADE2CE6D9C711
                                            Function 00007FF6117A5598 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                            • String ID:
                                            • API String ID: 2780335769-0
                                            • Opcode ID: ef755d5346959fbddc4573098100f0e197fecc80316e8c20252f2b5a31e3b312
                                            • Instruction ID: 1dac7ce16f650c579362d327e0d79dd1671c8e1e9081494bcd7d644abac84a28
                                            • Opcode Fuzzy Hash: ef755d5346959fbddc4573098100f0e197fecc80316e8c20252f2b5a31e3b312
                                            • Instruction Fuzzy Hash: 86517022E18A418AFB10DF71E4503BD37A9BB48F68F198535DE099B7AADF38D4498740
                                            Function 00007FFDFB135196 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 118stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strchr
                                            • String ID: +-.$..\s\crypto\store\store_register.c$scheme=
                                            • API String ID: 2830005266-2643984209
                                            • Opcode ID: 94bac4b2fdf24353ef543844e248bd3b9539f85d2481eaeee6a55e3f2b22877b
                                            • Instruction ID: ddc0d6debf6f676a1b05189bebc824cb04a64a3b04a743951e7f6ba700128180
                                            • Opcode Fuzzy Hash: 94bac4b2fdf24353ef543844e248bd3b9539f85d2481eaeee6a55e3f2b22877b
                                            • Instruction Fuzzy Hash: AF513C22B0EA5383FB51AB15D560AB922E0AF45B48F084036DE6C466FDEF2CF959C700
                                            Function 00007FFDFB1323B5 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memset
                                            • String ID: ..\s\crypto\buffer\buffer.c$c
                                            • API String ID: 2221118986-1501028754
                                            • Opcode ID: 9ca12e1e9a68c0642b578e2335e8e843e10f2effeffdbee841e1ba136700591e
                                            • Instruction ID: 153d76f155740bf7c0f26081ae46ac8f78f136b4a041c78743547b75168b957e
                                            • Opcode Fuzzy Hash: 9ca12e1e9a68c0642b578e2335e8e843e10f2effeffdbee841e1ba136700591e
                                            • Instruction Fuzzy Hash: D131DA32F0A64382EB00DB16E5606A963E0FB44B88F544131DF2C87BE9DF3DE5A58740
                                            Function 00007FFDFB358DA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 63stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strncmp
                                            • String ID: ASN1:$DER:
                                            • API String ID: 1114863663-1445514312
                                            • Opcode ID: 07bdd17f3f9fb27f0fd6068de2a71446843cdb00300911d7f994f8b2d7d158c4
                                            • Instruction ID: f11f87ea1030a08f00ee7b47693df55eb886cce29ed897190f04bc75e55b8414
                                            • Opcode Fuzzy Hash: 07bdd17f3f9fb27f0fd6068de2a71446843cdb00300911d7f994f8b2d7d158c4
                                            • Instruction Fuzzy Hash: 9B21F421B1EA9782F760AB25A55077A76E1EB44B94F481131DA7D837E8DF3CF4548700
                                            Function 00007FFDFB1322CA Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 57stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: strcmp
                                            • String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
                                            • API String ID: 1004003707-3633731555
                                            • Opcode ID: acb4bad67180354b69ecce9884ad4857aa8c5fb6cebba075e4469f5652763bf9
                                            • Instruction ID: 7bc10604b3afa7911df0726c473694393fb598a34031373e7794f2ac2072df6c
                                            • Opcode Fuzzy Hash: acb4bad67180354b69ecce9884ad4857aa8c5fb6cebba075e4469f5652763bf9
                                            • Instruction Fuzzy Hash: 9E215322B0AA4B82EB10EB55E4609A9A3A0FF88784F544135EA5C87BEDFE7DD155C700
                                            Function 00007FFDFB1369B0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmovememset
                                            • String ID: $$..\s\crypto\rsa\rsa_none.c
                                            • API String ID: 1288253900-779172340
                                            • Opcode ID: 30c36e5db87135307fe1ada5a89616089a49d2bfa663fe887d256adf1434125a
                                            • Instruction ID: 5689e2dec0fc483810c72e0e48bc952bf40f8cfe2c3c6586cc436bc1cbed3ddd
                                            • Opcode Fuzzy Hash: 30c36e5db87135307fe1ada5a89616089a49d2bfa663fe887d256adf1434125a
                                            • Instruction Fuzzy Hash: 2401B521B0964787D710EF15A964969A391EF847D4F188130FB6C47BEEDE3CD5418700
                                            Function 00007FF61179B480 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                            • Instruction ID: 653fd4473a795520ee82f489d9f13e508afcb16ca0560e8f8ea06b23ab907c79
                                            • Opcode Fuzzy Hash: c5f1a451cea918b3d295fbd489f38e5bd1b238518de27717531c6a83961092e0
                                            • Instruction Fuzzy Hash: F5112E22B14F068AEB10CF60E8542B833A8FB59B68F440E31DE6D877A5DF7CD1988340
                                            Function 00007FFE004C11A4 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X_free
                                            • String ID:
                                            • API String ID: 2268491255-0
                                            • Opcode ID: 82e1d11b7c0ecd73b567d5d7cf8315dcadafa679966966f9cc7b343eecd773c7
                                            • Instruction ID: 747ac6b9a1d4a7638566a63480c5474bdc20823f2f400cba81bd1d9b67fad7c6
                                            • Opcode Fuzzy Hash: 82e1d11b7c0ecd73b567d5d7cf8315dcadafa679966966f9cc7b343eecd773c7
                                            • Instruction Fuzzy Hash: D3F03C62A096C141E794DF61D9813BC6354EF95F44F184139EF4D4B7BFCE2894508729
                                            Function 00007FFE004E11D0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • OPENSSL_sk_dup.LIBCRYPTO-1_1(00000000,00007FFE004E0775), ref: 00007FFE004E11E9
                                            • OPENSSL_sk_free.LIBCRYPTO-1_1(00000000,00007FFE004E0775), ref: 00007FFE004E1204
                                            • OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1(00000000,00007FFE004E0775), ref: 00007FFE004E1216
                                            • OPENSSL_sk_sort.LIBCRYPTO-1_1(00000000,00007FFE004E0775), ref: 00007FFE004E121E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: L_sk_dupL_sk_freeL_sk_set_cmp_funcL_sk_sort
                                            • String ID:
                                            • API String ID: 1312970346-0
                                            • Opcode ID: 38160d876cea3b4985bc4e992428a22d63ba24e8063d3bc00bf50ef85e4380fe
                                            • Instruction ID: 4618748189eb0be33fdb3b64e5b5129fb66f1cb632ce36da910a8dddb07d12ab
                                            • Opcode Fuzzy Hash: 38160d876cea3b4985bc4e992428a22d63ba24e8063d3bc00bf50ef85e4380fe
                                            • Instruction Fuzzy Hash: 05F08222B0864181EB94A766F5812BC52909F99BC4F444031EB0D47BBFEE2CD4904700
                                            Function 00007FFE1025EB92 Relevance: 6.0, APIs: 4, Instructions: 27threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Err_$Buffer_Bytes_DeallocEval_MemoryReleaseResizeRestoreStringThreadThread_release_lock
                                            • String ID:
                                            • API String ID: 544407753-0
                                            • Opcode ID: 05b82059c54798f8ed4da9a33ab9b439945ae9c3ed956740b9ec15fb7dc33f7f
                                            • Instruction ID: 0e4bd7509535e344271d019182d60b60d1a8c5cb8215155d3efb64cc8fb24abb
                                            • Opcode Fuzzy Hash: 05b82059c54798f8ed4da9a33ab9b439945ae9c3ed956740b9ec15fb7dc33f7f
                                            • Instruction Fuzzy Hash: 1201FB26A0CE81C6E6B09B12E4543AA7731FBC9B61F544072DF9E86B75CF2CD445D700
                                            Function 00007FF611797440 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Window$Process$ConsoleCurrentShowThread
                                            • String ID:
                                            • API String ID: 242035731-0
                                            • Opcode ID: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                            • Instruction ID: 280bccdfc4e1be2445242e5e28c957b1b6b2d95b8c4d48d8596e3e92498abf00
                                            • Opcode Fuzzy Hash: ce431efa17345d7651078cf11ef9ccbb6a86d2f3d8659cd5f010f407bfbcc38a
                                            • Instruction Fuzzy Hash: 49F03021A19E4EC2EF645B66A85403967A9FF88FB0B085030DD4E83366DF3CE04D8A04
                                            Function 00007FF6117975B0 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Window$Process$ConsoleCurrentShowThread
                                            • String ID:
                                            • API String ID: 242035731-0
                                            • Opcode ID: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                            • Instruction ID: c84947becb4c6b08512123c128e3984ea3dc00964f3a39dbf8306d0b90be9f7f
                                            • Opcode Fuzzy Hash: b8f031c1363efa834fdbd56010d3ef4b44edc5dcbdf772b005a24d0a5bd8a786
                                            • Instruction Fuzzy Hash: D4F03021A19E8AC2EBA05B26A8546396269FF88FB4F585030DD4E87755DF3CE44DCB04
                                            Function 00007FFE00521268 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: X_new$X_free$DigestInit_exR_flagsR_key_lengthX_reset
                                            • String ID: ..\s\ssl\t1_enc.c
                                            • API String ID: 2151083367-4043206075
                                            • Opcode ID: 8fc673ea78c5a63a9e5f7ee6a7cd7314bec52ad09f7ed47f5a25275c2c15a35c
                                            • Instruction ID: 2da7ce1c877e8a9adafdaf53f674465988aa174f120d0ae540d06f2fe62129c3
                                            • Opcode Fuzzy Hash: 8fc673ea78c5a63a9e5f7ee6a7cd7314bec52ad09f7ed47f5a25275c2c15a35c
                                            • Instruction Fuzzy Hash: 7B31E336706B4086E7A1DB25D8507AA37A0FF59B98F184135DF0D4B768DF39E486C704
                                            Function 00007FF6117B5A1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                            • String ID: ?
                                            • API String ID: 1286766494-1684325040
                                            • Opcode ID: 64f7181257c50ae4d7613155abce06ba6a134164ab1a9db3b193907e2737411a
                                            • Instruction ID: dab9e1108ea5d173cc3deb2b7044b45b6c04bf96d9d4e49c36d8035b763f39d7
                                            • Opcode Fuzzy Hash: 64f7181257c50ae4d7613155abce06ba6a134164ab1a9db3b193907e2737411a
                                            • Instruction Fuzzy Hash: E641F612A08B8246FB649B25E54537A6B68EF80FB4F148235EF5C86BD7DF3CD4858B04
                                            Function 00007FFDFB131DD4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: getaddrinfo
                                            • String ID: ..\s\crypto\bio\b_addr.c
                                            • API String ID: 300660673-2547254400
                                            • Opcode ID: f3cfbca69420f5427df2d31b0fded41f4fb78145a65b2b5ca5eaac2b623b0e37
                                            • Instruction ID: b361f956b8c684cc923e67408492a74c28b4b66e2f7be0ba2f398166c024dba8
                                            • Opcode Fuzzy Hash: f3cfbca69420f5427df2d31b0fded41f4fb78145a65b2b5ca5eaac2b623b0e37
                                            • Instruction Fuzzy Hash: A941F873F1969387E7109B12A850AAD77A4FB84748F144035EA9E83BE9DF3CE844CB40
                                            Function 00007FF6117A8BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            APIs
                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6117A8C02
                                              • Part of subcall function 00007FF6117AA0E4: HeapFree.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA0FA
                                              • Part of subcall function 00007FF6117AA0E4: GetLastError.KERNEL32(?,?,?,00007FF6117B2B22,?,?,?,00007FF6117B2B5F,?,?,00000000,00007FF6117B3025,?,?,?,00007FF6117B2F57), ref: 00007FF6117AA104
                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF61179B005), ref: 00007FF6117A8C20
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                            • String ID: C:\Users\user\Desktop\Eclf71HXa1.exe
                                            • API String ID: 3580290477-748119270
                                            • Opcode ID: 3897955feaaa9912254b388f55b996f76c329d0c77b7651028886ff0d95f410a
                                            • Instruction ID: 1300f33bcd22fa2f0cc854a0d0004001456140a85051cc8f6365ca0bef03daaf
                                            • Opcode Fuzzy Hash: 3897955feaaa9912254b388f55b996f76c329d0c77b7651028886ff0d95f410a
                                            • Instruction Fuzzy Hash: 7C416236A09F5685EB14EF25F4410B96698FF44FE4B584036EA4E83BA6DF3DE489C700
                                            Function 00007FFE004C2171 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: L_sk_numL_sk_value
                                            • String ID: ..\s\ssl\statem\extensions_clnt.c
                                            • API String ID: 557030205-592572767
                                            • Opcode ID: 458fac99cf8d15209f2626a13880877cec327697dcb47d806fdd90ecc3ee723e
                                            • Instruction ID: 03d3b728fafa860b889cae1f544597ffd452bcab2410ba5720fcc60d9103401c
                                            • Opcode Fuzzy Hash: 458fac99cf8d15209f2626a13880877cec327697dcb47d806fdd90ecc3ee723e
                                            • Instruction Fuzzy Hash: 5C416361B0864286F7A49B22E64067EA395AF85BC4F544030DF8C57BBEDF7DE5418B08
                                            Function 00007FF6117B03DC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory_invalid_parameter_noinfo
                                            • String ID: .$:
                                            • API String ID: 2020911589-4202072812
                                            • Opcode ID: 1c45802cac1274b8e1172f214967843d9734417e16f6b0bb5317c8d1b39b32ad
                                            • Instruction ID: 2428f81880e1576c95fbe892f13c13bf17b49601a96e644ff73c400dbd77debe
                                            • Opcode Fuzzy Hash: 1c45802cac1274b8e1172f214967843d9734417e16f6b0bb5317c8d1b39b32ad
                                            • Instruction Fuzzy Hash: CB412E22F18F5288FB119BB1A8511BD2AB86F05B68F584435DE0DA7B97EF3C9449C314
                                            Function 00007FF6117AC8B8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: U
                                            • API String ID: 442123175-4171548499
                                            • Opcode ID: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                            • Instruction ID: 3dea739d7fdfe44126d0735e802f00072e29dff94fd39aeb40e98c3048937dec
                                            • Opcode Fuzzy Hash: e788713b5b8835d85b89640d10adf88a63234f8ab00a052097ad5adc3a9f47d8
                                            • Instruction Fuzzy Hash: 8741B222A18A8595DB20CF25F4443A97768FB88BA4F444131EE8DC7799DF3CD449C740
                                            Function 00007FF6117AF4B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory
                                            • String ID: :
                                            • API String ID: 1611563598-336475711
                                            • Opcode ID: 52b5438b11414e869825b6acf0631758bdb150c62fb32d815d183be076a3aadc
                                            • Instruction ID: 7fcc787aa7c91b9db5ca52245d300680393210bb860360860a0d0481306a4b12
                                            • Opcode Fuzzy Hash: 52b5438b11414e869825b6acf0631758bdb150c62fb32d815d183be076a3aadc
                                            • Instruction Fuzzy Hash: 2421E662A08A4281EB20DF11E44427D73B9FB84F94F598135DA8D837D6DF7CE548CB41
                                            Function 00007FFDFB1350A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLastgetsockname
                                            • String ID: ..\s\crypto\bio\b_sock.c
                                            • API String ID: 566540725-540685895
                                            • Opcode ID: 020c2ccc9a312c424bc5d75276856e8862111887ad1f0ad04361a64a7b15a02d
                                            • Instruction ID: 54ebd4da6296f3031b69239d90bf3e4dcd54f7778a8a7ee5d40ccf67ce4836d2
                                            • Opcode Fuzzy Hash: 020c2ccc9a312c424bc5d75276856e8862111887ad1f0ad04361a64a7b15a02d
                                            • Instruction Fuzzy Hash: D021A172F0954B86E7109B25E824AE967A0EF80709F644131E66C466E8DF3CE5C9CB00
                                            Function 00007FFE004EE100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FFE004E9742), ref: 00007FFE004EE14D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 1767461275-1080266419
                                            • Opcode ID: 2edb63da3d684045c2362323214212629023d1d49c079dc5e734b482dca42726
                                            • Instruction ID: fd28db6139b54560fba5fabdde26d8d82a4d30d35d6d5ca9ce7c1a253d47d1b8
                                            • Opcode Fuzzy Hash: 2edb63da3d684045c2362323214212629023d1d49c079dc5e734b482dca42726
                                            • Instruction Fuzzy Hash: 01213D32A08B8286E7109B16E4442AAB760FB85B94F584135EF8D477AEDF3CD451CB44
                                            Function 00007FFE0051A1CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: O_clear_flagsO_set_flags
                                            • String ID: ..\s\ssl\statem\statem_srvr.c
                                            • API String ID: 3946675294-348624464
                                            • Opcode ID: a1566f16738a51bff4d1a20b5aea98e8ca9af2b4d40307e63ad806aa66787b9f
                                            • Instruction ID: 2ef1523fa7a6427af69232002794b4efddf31f20affedce54ab49c38ff1f1919
                                            • Opcode Fuzzy Hash: a1566f16738a51bff4d1a20b5aea98e8ca9af2b4d40307e63ad806aa66787b9f
                                            • Instruction Fuzzy Hash: A111BE35F0A24286FBB18B11D444BFD2782EB86300F844035DB4D077AAEF7ED8418B02
                                            Function 00007FFE004C22D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error$R_add_error_data$conf_ssl_get_cmdconf_ssl_name_find
                                            • String ID: !$..\s\ssl\ssl_mcnf.c
                                            • API String ID: 1136227658-1677383339
                                            • Opcode ID: 0de0bf5fc6f3633442d3f84f15e5d6452d4c931375f39e90bbb71543131ca581
                                            • Instruction ID: 018df455cf3a0a341a0b1c4adecee88ec53b988a86762b04048c30a9dff5132c
                                            • Opcode Fuzzy Hash: 0de0bf5fc6f3633442d3f84f15e5d6452d4c931375f39e90bbb71543131ca581
                                            • Instruction Fuzzy Hash: EA01B567F0918142FB64D691A801BBA5191AB957D4F148439EF0C0BBEEEF3CD9964608
                                            Function 00007FFE004C21F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 1767461275-1080266419
                                            • Opcode ID: f32ad7e74e363020744a33612b92cb8a98e38986f34aa5c9ae571ac9e465e514
                                            • Instruction ID: 61800807e216985f3e3441e614a0253377530911991c6ae14a2b333f38ccfeec
                                            • Opcode Fuzzy Hash: f32ad7e74e363020744a33612b92cb8a98e38986f34aa5c9ae571ac9e465e514
                                            • Instruction Fuzzy Hash: 64115B75F0968282FBA09BA0D4017F962A4AF85714F444135EB0C86BFEEF3CE6918618
                                            Function 00007FF61179E178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                            • Instruction ID: c003dc5e631905d10dc6dfe821b14af2fdd238ef9e669c4e6cc1f8527988d6e2
                                            • Opcode Fuzzy Hash: 712c94e0b71dfeb4192b1cdcdfcedba21e043517165edae9774edb0317bea208
                                            • Instruction Fuzzy Hash: 2A113772608B8482EB208B15E4502A977E9FB88BA4F188634EE8D47769DF3CC559CB00
                                            Function 00007FFE004C12A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_error
                                            • String ID: ..\s\ssl\ssl_lib.c
                                            • API String ID: 1767461275-1080266419
                                            • Opcode ID: 216b3215e026efc6321aad9fbff295c38bfa71396ca0d293e7e753979905fc14
                                            • Instruction ID: 2fd650f81769677d33021807a4714ff97a17e08ba5b63235f8ea3a16100203b1
                                            • Opcode Fuzzy Hash: 216b3215e026efc6321aad9fbff295c38bfa71396ca0d293e7e753979905fc14
                                            • Instruction Fuzzy Hash: F4015E62A096C187F7649B95D4447E927A1FB40B08F548134DB8C477FACFBDD986CB00
                                            Function 00007FF6117B0548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903747238.00007FF611791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611790000, based on PE: true
                                            • Associated: 00000002.00000002.2903726070.00007FF611790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903772888.00007FF6117BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903795663.00007FF6117D3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000002.00000002.2903834209.00007FF6117D6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ff611790000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: DriveType_invalid_parameter_noinfo
                                            • String ID: :
                                            • API String ID: 2595371189-336475711
                                            • Opcode ID: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                            • Instruction ID: 5126dd18ecd6b8d0895c14c3057bdf4a412e47b595fe36ba5321c5e4532f7b20
                                            • Opcode Fuzzy Hash: 7720afce7fc7e91d22e9568d01b70dcbdfe4efe47a81c0f43b4b432c02103839
                                            • Instruction Fuzzy Hash: 3B018F6191CA0782F731AF60A86567E27A8EF48B24F944435D94DC6B93DF2CE54C8B18
                                            Function 00007FFE004C7100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Time$System$File
                                            • String ID: gfff
                                            • API String ID: 2838179519-1553575800
                                            • Opcode ID: a1830aa43593aa607098fe927713230bf97f4c091ee94b2b44c3ffa5bee40f8a
                                            • Instruction ID: d7a2ac30cf478065222aead563d6853ff25943a008c9e79ba5a12ccb08fdbfe8
                                            • Opcode Fuzzy Hash: a1830aa43593aa607098fe927713230bf97f4c091ee94b2b44c3ffa5bee40f8a
                                            • Instruction Fuzzy Hash: 3A01D6E2B18A8682DFA4DB29F81216567D0EBCC784F449132E74DCBB79EE2CD1418B00
                                            Function 00007FFDFB13343B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: _time64
                                            • String ID: !$..\s\crypto\ct\ct_policy.c
                                            • API String ID: 1670930206-3401457818
                                            • Opcode ID: d9f64f4cc04cddd85ee12494419b894aad7291cbd22d4c8079ebbf3f97d39cc8
                                            • Instruction ID: 899f6c599aa421064b5e49b4e2e628cd99e94ccf8fe843189f4d89d2b43ba9a3
                                            • Opcode Fuzzy Hash: d9f64f4cc04cddd85ee12494419b894aad7291cbd22d4c8079ebbf3f97d39cc8
                                            • Instruction Fuzzy Hash: 10F06232B57A0786FB149B24E421BAD6390EF50714F580435DA2D463F9EE3CE796C740
                                            Function 00007FFE004C123D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2904868520.00007FFE004C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE004C0000, based on PE: true
                                            • Associated: 00000002.00000002.2904845772.00007FFE004C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904868520.00007FFE00531000.00000020.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904936421.00007FFE00533000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904966052.00007FFE00556000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2904988459.00007FFE0055A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE0055B000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00561000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            • Associated: 00000002.00000002.2905008879.00007FFE00568000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe004c0000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: R_put_errormemcpy
                                            • String ID: ..\s\ssl\ssl_sess.c
                                            • API String ID: 1385177007-2868363209
                                            • Opcode ID: 78515ac419b82414ef7ee7fd7184a591ac76e62ec3da0704cd56021e0d789a2f
                                            • Instruction ID: f29b12e5df84c1785bca82d73b3e04d7b62e1a65d32a7fc5b75c1d82fc42a0ce
                                            • Opcode Fuzzy Hash: 78515ac419b82414ef7ee7fd7184a591ac76e62ec3da0704cd56021e0d789a2f
                                            • Instruction Fuzzy Hash: 80F08226F1809687FB60EBA088057FC27A0EB81346F804034E34C06BAADF6D66578A04
                                            Function 00007FFE1023171F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2905094396.00007FFE10231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE10230000, based on PE: true
                                            • Associated: 00000002.00000002.2905073925.00007FFE10230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10260000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905126127.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905165858.00007FFE1026B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                            • Associated: 00000002.00000002.2905186948.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffe10230000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: Eval_Thread$Bytes_DeallocErr_ResizeRestoreSaveString
                                            • String ID: Input format not supported by decoder
                                            • API String ID: 1378674933-2498158508
                                            • Opcode ID: d267dfb4f99a911db701918c2189631f9de7d77f14fb241418b7da16b9899cdd
                                            • Instruction ID: abb49a23f404aa70e3972834c1602d4e41290ae9ed37ee57d97ac17f1623f25e
                                            • Opcode Fuzzy Hash: d267dfb4f99a911db701918c2189631f9de7d77f14fb241418b7da16b9899cdd
                                            • Instruction Fuzzy Hash: 39F0F826A09E0285EA418B62F84522A6B64AFC8BB4F1800B2DF5D06736DF7CE086C700
                                            Function 00007FFDFB13525E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: ErrorLastioctlsocket
                                            • String ID: ..\s\crypto\bio\b_sock.c
                                            • API String ID: 1021210092-540685895
                                            • Opcode ID: ca4a8700330fb176710b5e22181c2318bb84ad31388e1f2561f293461f66697b
                                            • Instruction ID: 95b74012e9611fb3e74dd94f9620144499168087ab8b5fd28f8e9698137a21ff
                                            • Opcode Fuzzy Hash: ca4a8700330fb176710b5e22181c2318bb84ad31388e1f2561f293461f66697b
                                            • Instruction Fuzzy Hash: CFE09A22F0B65786F3106B60E835F792250EF0434EF000130E92E862F9EF2DE2A98A00
                                            Function 00007FFDFB1351B9 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2903872184.00007FFDFB131000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDFB130000, based on PE: true
                                            • Associated: 00000002.00000002.2903853641.00007FFDFB130000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB13D000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB195000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1A9000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1BA000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1C0000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB1CE000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2903872184.00007FFDFB371000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB373000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB39E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3CF000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB3F5000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904152035.00007FFDFB41A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904299063.00007FFDFB441000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904319957.00007FFDFB442000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904341515.00007FFDFB447000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB465000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            • Associated: 00000002.00000002.2904361821.00007FFDFB469000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_7ffdfb130000_Eclf71HXa1.jbxd
                                            Similarity
                                            • API ID: memmove
                                            • String ID:
                                            • API String ID: 2162964266-0
                                            • Opcode ID: fb3f167461555afb7d89da3478eeef05d238343a975c5254a245245ac744ca66
                                            • Instruction ID: 9d90950f0bf4c8dd50e393470038bc9459c4660ea2afae8e23ea56098fba645c
                                            • Opcode Fuzzy Hash: fb3f167461555afb7d89da3478eeef05d238343a975c5254a245245ac744ca66
                                            • Instruction Fuzzy Hash: 3811B962B05A4293D710DB16E5505D963A0FF447D0F444531EF6E97BEAEF28E5E1C300